Title: From public cloud to infiltration into intranet roaming

0x01 Introduction

When an enterprise places its business on public clouds such as Tencent Cloud or Alibaba Cloud, it is not connected to the enterprise's intranet, which is equivalent to logical isolation (non-physical isolation). If the enterprise's information security is relatively good and does not expose the VPN address or router or firewall services, it is difficult to accurately locate the public network address used by the enterprise's intranet when collecting information. At this time, it is relatively difficult to penetrate the intranet.

Let me introduce the actual penetration process from public cloud to infiltration into intranet for roaming.

0x02 Early Hands

How to get the cloud server is not the focus of this article, so I will not introduce it in detail, but will only briefly introduce the ideas.

According to the company name, directly on Baidu and discover the official website address. According to the official website address, a wave of information collection was carried out:

It was found that the site used a CDN, which was a Tencent cloud host, and the IP was changed and the real IP could not be detected; it was found that there were any command execution vulnerabilities. Directly RCE and get server permissions; first look at the IP address

found that the intranet address is displayed. At this time, check the real IP, although this is useless for the subsequent intranet penetration.

Only then did I find out that it is Tencent Cloud and the host is not in the intranet.

0x03 Let’s find a way to hit the intranet

At this time, I need to obtain the external network IP of the company's office network. This external network IP is either a firewall or a router. How to get it? I came up with a solution. Generally, cloud hosts, operation and maintenance personnel will manage them through ssh. Generally, during working hours, they will connect in, and at this time, they will obtain the company's real public network IP.

Let me teach you a little trick. If it is a small company, the operation and maintenance may not be connected for ten days or half a month. At this time, we can do some "small damage" and force the operation and maintenance to go online.

For example, when closing its web service, etc. please pay attention to two points: don’t act too much, so as not to be found to be hacked by the operation and maintenance. Of course, you can maintain permissions in advance, so I won’t introduce it here; if you don’t have “authorization”, don’t mess around; if you don’t have authorization, don’t mess around; if you don’t have authorization, don’t mess around, otherwise you will go to the bureau to have a free meal. Why can’t you do illegal things? Haha. Let's see if the operation and maintenance is online: [root@VM-0-13-centos~]# netstat -lantp | grep ESTABLISHED We focus on the sshd process. This previous public network IP is the public network IP of the company where the operation and maintenance is located. I found two of them here.

0x04 Penetration of the above IP

Let’s take a wave of the same tedious things and collect information. A shiro-issued serialization vulnerability was discovered and the shell was directly rebounded.

came in directly Look at the intranet address: The intranet address is 10.10.10.187 See if the target machine can access the external network The most ideal state is that you can access the external network, and then you can start the agent to enter the intranet for penetration.

0x05 Happy intranet roaming

The frp+Proxifier agent is built. I won’t introduce how to build it here in detail. You can Google it yourself. It's very simple. It's best to be a socks5 proxy, and encrypt it to avoid AV traffic detection; it's also best to add the proxy's password to prevent "others" from using it. I used the modified version of FRP here, using the method of remotely loading configuration files, avoiding it a little, and increasing the difficulty of traceability a little:

The agent has been built. Next, scan the intranet to see has the classic MS17-010 vulnerability, but in fact, many other vulnerabilities have been found. Let’s take the best MS17-010 to start quickly, and it is a Windows server, which has great utilization value. After taking it, use the server to be another layer of agent. Even RDP can quickly end the battle and a shuttle. My msf is a public network. I use proxychains to proxy and attack directly.

Start an attack: execute a few more times, sometimes once may fail. The attack was successful (this picture was added later, the information may be inconsistent, but the principle is the same).

Let’s see that permissions are the highest permissions of the system, so we can eliminate the raising of power.

Use mimikatz to grab the password Get the administrator's password and find that it is opened 3389, and log in directly via the proxy Found this, virtual machine backup, which can use local authentication, which is a problem.

Qunhui NAS was also discovered

3 Vcenters, there are so many virtual machines. I took a quick look at it and there were hundreds of them. All can be taken over

0x06 Summary

1. By searching the name of the target company, querying the company's official website address, and collecting information. The corresponding IP of the sending message contains CDN service, and the company's real address cannot be obtained. There is a remote command execution vulnerability in the company's subdomain name, so the server permission is obtained. 2. Remote connection through Ice Scorpion and execute commands to query the IP address (ifconfig). It is found that the IP addresses are all intranet addresses and public network addresses. Query the public network address but it is still Tencent Cloud IP3. You need to obtain the target company's exit public network address. Here we can let the target site perform WEB service downtime and abnormality (authorization is required, such as closing the service and causing abnormal WEB service traffic), then the operation and maintenance personnel will log in to the fortress machine and log in to the Tencent Cloud host to view the WEB service. 4. At this time, you can check the network connection and get the target company's export public network address netstat -lantp | grep ESTABLISHED5. Through information collection, you will find that the target company's public IP port is out of a certain port, and there is a shiro deserialization vulnerability 6. Run the command to view the IP address, and find that the target is the intranet address :10.10.10.187, and test whether it is connected to the external network ping. www.baidu.com10. Socks5 proxy is performed through frp+Proxifier or proxychains. Here you need to set the password of frp and simple encryption. 12. Load fscan through proxifier to scan the target intranet and find that 10.10.10.105 has ms17-01013. Load msf through proxychains to run, and use ms17-010 module to attack, and mimikatz get plaintext msfuse exploit/windows/smb/ms17_010_eternalbluemsfset rhosts 10.10.10.105msfrunmeterptergetuid //Show it is system permission meterpreterload_kiwi //Load mimikatzmeterpretercreds_wdigest //Get hash value 14. Get the administrator's password and found that it was opened 3389. Go directly to the proxifier socks5 proxy to log in to the remote desktop 15. After entering the system, I found that there was a virtual machine. Local authentication was used in the virtual machine. After logging in to the virtual machine, I found that it was Qunhui NAS16. There is vmware in Qunhui NAS. vsphere, there are 3 vcenters original links: https://mp.weixin.qq.com/s?__biz=Mzg4NTUwMzM1Ng==mid=2247492954idx=1sn=412bbb64e880e6f63ba3ae05b2129eb0chksm=cfa54149f8d2c85f3145e011edf2ec5b05b2d0614b0408d4d48ea8daa03087037228502c1686scene=178cur_album_id=1553386251775492098#rd